Reading time: 15 minutes
In response to market demands for trained network security experts who can combat the rising tide of cyber crimes against individuals and companies worldwide, Maryville University launched undergraduate and an online master’s level cyber security programs this year. What skills must these students learn to protect our privacy, and what can we—as consumers of online goods and services, and as active members of social media communities—do to protect ourselves?
Maryville Magazine asked four St. Louis-based cyber security experts—including three Maryville alumni—to share their insider perspective on network security best practices, and provide tips on ways we can help secure our personal data.
What, exactly, are we talking about when we say ‘cyber security’?
Mary Heger, ’86: Cyber security is technologies, processes and practices designed to protect networks, computers, programs and information from attack, damage or unauthorized access.
Gil Hoffman, ’90: Cyber security is a popular term for information security. When we talk about information security, we’re talking about a strategy to implement controls that ensure the confidentiality, integrity, and availability of an organization’s information assets.
Suzanne Magee, ’96: The definition has changed over time. Originally called network security, cyber security was a term used to describe the offensive side of security, as opposed to network security, which refers to defensive means to protect networks and data. Today, the definition of cyber security has broadened, and is now offensive and defensive in nature.
Jim Whalen: Cyber security focuses on the protection of information systems from theft or damage.
More than half of American adults have been impacted by cyber criminals. Why does this keep happening?
MH: Cyber criminals are getting more sophisticated and persistent in their tactics to access personal accounts and steal data, which allows them to benefit financially.
GH: It’s a combination of things. First, the internet has made it so systems are interconnected. Second, there’s money to be made on the black market from an individual’s data, and there are skilled, malicious people that know this and exploit the vulnerabilities in computer systems attached directly or indirectly to the internet. Finally, many individuals and organizations don’t have the appropriate controls in place to protect, or at least dissuade, attackers. It’s ironic that most people wouldn’t leave their doors unlocked, yet they don’t use safe computing practices—or they won’t speak to strangers, but they will click links or open emails from people they don’t know.
SM: Social engineering. People are easily manipulated by the attackers. And the attackers are savvy about human behavior. They now send malware disguised as security warnings. People wanting to do the right thing will click on the warning, thinking it will protect their network. In actuality, it’s planting malware and harvesting personal information, then sending it out from the user’s computer to nefarious receivers.
JW: Cyber criminals take advantage of the current security environment with multiple points of accessibility (think Omni-channel), the interconnectivity of the internet, the plethora of vulnerabilities in the eco-system, a lack of appropriate controls and the naiveté of individuals.
With advanced technology becoming ever more sophisticated, how do cyber security experts keep up with the latest threats to sensitive data and private information?
MH: Cyber security experts must continue to evolve the approaches they use to protect, detect, and respond to cybersecurity events. Most experts work to build out their defense-in-depth strategies in order to provide multiple layers of defense against attackers. In addition, incident response procedures must be developed and practiced. Training is critically important in order to keep up with the latest threats and vulnerabilities, as well as effective technologies and practices which can be deployed.
GH: Experts protect sensitive data by applying the same controls that are put in place for other systems. Examples of controls are: encrypting and password protecting devices, restricting the type of data stored on devices, as well as malicious applications that could download key-loggers, and controlling how devices connect to an organization’s internal network. Educating users is also of paramount importance, not only to protect the organization, but to protect the individual.
SM: Information sharing and use of Artificial Intelligence and heuristics are the only way to stay a step ahead of the hackers—which means looking at larger trends, thinking like a hacker, and proactively blocking bi-directionally.
JW: Cyber security experts must be vigilant, proactive, and evolve their security protocols to protect their sensitive data and private information. Overt communication, training, and education by the cybersecurity team internally within the user groups are also key.
What action is taken when a data breach happens, and are there regulations regarding how quickly companies must respond? What is the company’s liability?
MH: Each company is responsible for developing its own incident response plan which should be used when a data breach occurs. Regulations exist and vary by industry and depend upon the type of event. Liability depends upon the nature of the event, as well.
GH: Once a breach is suspected, actions include discovery and verification, containment, forensic investigation, notification of affected parties, regulatory agencies and the press. Then a company will work with the affected parties to provide services such as credit monitoring. How quickly a company sends notification depends on the information breached and the company’s regulatory agency and/or state agency. As far as the company’s liability, it depends on the type, scale and cause of the breach, but usually the costs of repairing an organization’s reputation can greatly outweigh the liability costs.
SM: First, action must be taken to protect the information for forensics analysis. It is also important to contact law enforcement to report the incident and get proper guidance. There are companies that do forensics and you can have them on retainer to call and handle all the steps for you. There are data breach protection laws state by state—but the issue is that they are not consistent, and it becomes burdensome for business to understand the requirements in each state if they are selling across the country or through the internet.
JW: When a data breach occurs, the relevant parties in the payments space are notified (including card issuing financial institutions, card acquiring institutions, processors, the card networks along with the merchants and federal government), and an account data compromise is declared. The focus is on gathering the facts, accounts impacted, and immediate remedies to be taken including notifying the cardholders. Time is of the essence as new cards will need to be issued and the breach addressed. The cardholder does not have any liability.
The recent Apple vs. the FBI controversy begs the question: how closely does industry work with government and law enforcement agencies? Are companies, cybersecurity experts, and law enforcement generally at odds, or was this case an outlier, with new issues being raised?
MH: In my experience, there is increased coordination and cooperation between the public and private sectors given the significance of cyber crime and cyber events to U.S. citizens, industry, and governmental agencies. Information sharing is becoming a reality, while protecting personal privacy.
GH: Cyber security and law enforcement agencies are not at odds; rather they cooperate and support one another. Apple is a company that sells products, and part of their brand promise is delivering a device that maintains the owner’s privacy. What’s at the heart of this discussion is not information security, but privacy issues.
SM: Cyber experts work very closely with government as needed and are often passionate about protecting our way of life and welfare in the U.S. and with our allies. But that means they also protect the freedom we enjoy in this country. The issue is not that Apple would not break its own encryption, the issue is that technology has outpaced the methodologies law enforcement uses to monitor criminal activity. Nation state computer scientists can now come up with encryption algorithms to hide their communications—so we can no longer depend on a court order and wire/phone tapping to disrupt the criminal activity. Law enforcement needs new tools and a new paradigm to manage the risk. Innovation will be there to address this, but mindsets need to change to embrace it.
JW: Given the significance of cyber incidents and the publicity these events have caused, we have observed a closer cooperation between the private sector and government and law enforcement agencies. Going forward, there is a need to address the current cyber challenges, while preserving personal privacy. Stay tuned!
Is social media a major contributor to the growing prevalence of cyber crime? Is there really anything consumers can do to protect their information, short of closing accounts?
MH: Cyber criminals use information about individuals gained through all sorts of methods. Social media is one way that information can be obtained and then used to access personal accounts. Be aware of privacy settings on social media accounts and be prudent in what is shared.
GH: I don’t believe social media is a major contributor to cyber crime, but I do think social media contributes to privacy issues. I’m amazed how much information people disclose on their social media sites.
SM: Yes. Limit the information posted, and think before you post. Do you want this to live on the internet for decades? Do you think someone could get enough information about you or those you are posting about to find their homes, cars, know their vacation plans and work routes and parking areas and then rob them? Follow guidelines for security settings—take the time to lock it down.
JW: Social media is one of the sources cyber criminals access and utilize. Be very cautious about what you post in a public forum and take all security precautions to ensure it is protected.
What are some important aspects of cybersecurity every American should know?
GH: Most of the larger breaches we’ve heard about aren’t the result of cyber crime, but are the actions of nation states. In this situation, the data isn’t used for monetary gain, but for other reasons. Breaches are not going away. Frequency of these events will probably continue to increase. Learn safe computing skills and follow the policy and procedures your organization sets forth. While unintentional, many breaches are initiated by the actions of an unknowing employee.
SM: When you are on the internet, you are open to the entire world. It is not a private place to communicate. If something looks suspicious, out of the ordinary for your daily computer communications, don’t open it or click on it. Never give out your password or account information for anything online through an email request. Banks, credit card companies, hospitals, the IRS – these types of organizations never ask for this information through email.
JW: Threats from fraudsters will continue to evolve and increase in volume and sophistication. One must be almost neurotic to stay current and protect one’s information assets. Most companies and individuals will be impacted by security breaches and one must acknowledge that it will occur, take all precautions and, for individuals, communicate with your financial institution.
Our Panel of Experts
Mary Heger, ’86
Company: Ameren Services, a subsidiary of Ameren Corporation
Position: Senior Vice President and Chief Information Officer
Expertise: Heger directs the staff responsible for all IT application development, infrastructure, networks, and future business technologies. She was cited as a Most Influential Business Woman in St. Louis by the St. Louis Business Journal, and is a Maryville University Deans’ Award recipient, a YWCA Leader of Distinction, and a Diversity Journal “Woman Worth Watching.” In 2015, Heger was recognized by STEMConnector® as a top 100 CIO Leader in STEM. She is also a graduate of leadership St. Louis ®, and a member of the board of International Institute.
Gil Hoffman, ’90
Position: Vice President / Chief Information Officer
Expertise: Hoffman’s team creates innovative solutions, exceptional patient experience, operational excellence, competitive advantage and new business opportunities. Hoffman and his technology team support 40,000 co-workers at 46 hospitals, 300 clinics, and thousands of physicians in four states. Mercy, an established leader in healthcare analytics, was voted Healthcare “Most Wired,” and has been recognized by ComputerWorld Honors in Emerging Technology. Hoffman has won InformationWeek’s “Most Innovative Use of IT” 12 times, and has been named by ComputerWorld as a top 100 CIO in the U.S., and Becker’s Hospital Review named Hoffman one of the nation’s top 100 CIOs to know.
Suzanne Magee, ’96
Company: TechGuard Security LLC; Bandura LLC. Bandura
Position: Co-founder/ CEO / President / Chairperson for TechGuard Security; CEO of Bandura
Expertise: Magee’s companies provide threat analysis and network security services. Bandura is located in the Cortex Innovation Community in midtown St. Louis. Magee has received numerous awards as a woman business owner, and her company, TechGuard, has been recognized as a Missouri Regional Top 50 Company, among other industry accolades. Beyond her company roles, Magee is founding member of the TechAmerica CxO Board; chair of the Nanotechnology Consortium Board of Directors; board member for the Small Business Development Center Advisory Board for the State of Missouri; and founding member of the National Cyber Security Alliance in Washington D.C.
Jim Whalen, CPA
Company: MasterCard WorldWide
Position: Senior Vice President for Technology Account Management for U.S. Markets
Expertise: Whalen serves as the key customer point of interaction for all operational and technology matters for key clients within U.S. Markets. From 2003 to 2013, Whalen served as senior vice president of finance and chief of staff for the MasterCard Technologies organization at MasterCard Worldwide. Whalen is a member of the Board of Directors and Executive Committee of the St. Louis Sports Commission, a member of the Board of Governors and Finance Committee of Cardinal Glennon Hospital, and a member of the Board of Directors and Audit Committee of the Saint Louis Zoo Association.
This story was originally published in the Spring 2016 edition of Maryville Magazine.