Companies Should Adopt Default No Trust Position on Programs to Protect Against Cyberattacks
Panelists identified risks in employees freely accepting links without thinking about their associated risks.
WASHINGTON, August, 24, 2022 – Companies should assume that new programs installed on company systems pose a threat to their networks to ensure a vigilant position on hacking risks, according to an expert on cybersecurity, after the country faced a number of high-profile cyberattacks recently.
The zero trust approach in which the default position is one of distrust of new programs was touted by Osman Saleem, cybersecurity and privacy director of operational technology and internet of things at professional services firm PricewaterHouseCoopers in Canada, who was speaking as a panelist on a Fierce Telecom event on Monday.
The event heard that the vast majority of security breaches at companies were a result of human error, including clicking on links containing malicious software (malware) that can wreak havoc on and suspend company systems. Data, in the case of a ransomware attack, can be locked away until the company pays a monetary sum to get it back.
Fred Gordy, director of cybersecurity at smart building company Intelligent Buildings, said companies sometimes don’t even back-up their systems in the event of an attack and only end up doing so in response to an attack.
Gordy also encouraged the zero trust approach to company security by assuming all digital programs and software have malware.
Opportunities for better cybersecurity
Saleem proposed that cybersecurity documents be reviewed and revised regularly because the cyber landscape always changes. This, he said, can protect the digital infrastructure of the companies’ systems, operations and employees.
Meanwhile, Congress has been pressing the issue, following the high-profile cyberattacks on software company SolarWinds, financial services company Robinhood, meat producer JBS, and oil transport company Colonial Pipeline. President Joe Biden earlier this year signed, as part of a larger budget bill, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires certain critical infrastructure companies to report cyberattacks to the federal government.
A House Oversight and Reform committee investigation concluded that certain hacks on companies were perpetrated through, in one example, an employee accepting a fake browser update. In the case of Colonial Pipeline and JBS, the use of many devices connected to the internet (IoT), the investigation found mass-produced factory password settings may have been the point of vulnerability.
