On Tuesday, January 31, 2017, a lively panel discussed The Shifting Paradigm of Data Security: Intelligence & Big Data. The German Center for Research and Innovation and the European American Chamber of Commerce organized the event. The panel included Joanna Burkey, Chief Information Security Officer, at Siemens, Joseph V. DeMarco, Partner at DeVore & DeMarco LLP, Nicholas Johnston, Vice President at Duff & Phelps, and Philip Kibler, Head of Cyber Risk Consulting at AIG.
The panel discussed cybersecurity in the age of big data, especially when dealing with data flows across international borders. Below are some takeaways.
The speakers informed the audience of some recent hacking trends. As a common rule, the motivations to portray an attack remain financial.
Several times they saw information stolen after the hackers had contacts with the target for several months and finally sent a link that would allow them to break in the targeted system and steal data with financial value. Overall, they highlighted how the broken link is almost always the human factor that – because of mistrust or inadequate training – allows the attack to take place.
A second trend consist of the attacks brought against third parties or partners the companies are working with. If your company is considered a “hard” target, the hackers may direct their effort to a somewhat “softer” target with less defenses.
Once data is retained, blackmailing is common.
In addition, the panelists experienced a lot of camouflage: hackers come in to stay and try not to get discovered. It is important to consider all abnormalities: they might reveal that the system is under attack.
Overall, it was pointed out that very often products are not adequately designed and the manufacturer are leaving customers vulnerable to cyber attacks.
The panel also discussed similarities and differences in data protection and privacy regulations between Europe and the US. US is ahead on breach response. Europe may take advantage of the experience grown in this field by the US.
It is always important to remember that there is different laws in each country, so each multinational establishment or each processor shall comply with local privacy requirements.
However, the speaker stressed how compliance is a way to safeguard legal stand but it is not a guarantee for security.
The panel went on to highlighting some best practices in cyber security.
Prevention is key. Companies shall know their assets, meaning anything that is connected to internet. This way you will what is vulnerable and be aware that it needs protection.
Collaboration within your own company is key.
Companies shall have a plan to respond to breaches. Details shall be thought out. For example, how will top managers communicate after a breach?
It is also important to try the plan out so that the planned measures can be effectively enacted, just like it happens in case of fire drills.
Employees awareness and training is key.
Finally, the gathering discussed also whether it is convenient to retain information. On one hand, it was suggested to keep logs and data to facilitate breaches investigation, on the other hand, it was highlighted how that data retention may be a liability. Two helpful comments suggested that it is important to filter what information shall be kept; not all data may be useful. Also, it is advisable to involve lawyers with technical support. This would allow for a rounded protection, as well as apply the attorney client privilege to possible communications.
The flyer to the event is available at http://germaninnovation.org…
Originally published on Technethcis on February 2017