SALT LAKE CITY — Companies large and small need to make cybersecurity a top priority in this time of rising online threats targeting businesses and governments across the nation.
Nearly 300 people attending the Salt Lake Chamber’s second annual Cybersecurity Conference heard that message reiterated throughout the event this week at the Hilton Hotel in downtown Salt Lake City. The conference was designed to help small and mid-size businesses develop, evaluate and strengthen their cybersecurity programs.
"The starting point is understanding where your risks are as an organization," explained Anders Erickson, director of cybersecurity services for accounting firm Eide Bailly. "(It's) understanding the environment that you work in and the type of activities that you do, and where those activities open up the organization to risk."
Companies need to take a "top-down" approach to cybersecurity, Erickson said, meaning executive leadership should proactively develop how individual firms set up their cyber protection programs rather than leaving it to information technology departments to react to threats as they happen.
"(It's) being able to enact the initiatives and the policies that create a culture within the organization where cybersecurity is an important aspect of how you do business and part of everyday life," he said.
Cybersecurity should be embedded into the fabric of a company's culture, Erickson added.
"It's something that has to be constantly reviewed and monitored, and becomes part of the cost of doing business," Erickson said.
Companies must align their information technology requirements with their security needs, said Ryan Layton, CEO at Salt Lake-based cybersecurity and risk management company Secuvant.
The event featured various panel discussions, including how cybersecurity impacts local businesses in today's global climate. Ivy Estabrooke, executive director of the Utah Science Technology and Research initiative, said maintaining awareness of potential threats is key for companies of all sizes, along with being informed on the latest risk considerations.
"Talk to someone who is actually an expert to get that input on how to (tackle the threat)," Estabrooke said. "Cybersecurity is such a rapidly changing landscape that it is a full-time job to keep up with it."
Consulting with someone who tracks those matters regularly is better than trying to do so as a novice, she said. Also, maintaining adequate training on proper security protocols within the employee base is paramount to avoid cracks from developing in the organization's safety protections, Estabrooke added.
"Make sure they're not opening that Nigerian prince email and understanding the critical pieces of the company's intellectual property that need to be protected," she said.
For companies that could be targeted by cybercrime, the FBI advises the development of a reaction plan.
"The majority of companies are not ready to respond," said Jeff Collins, supervisory special agent with the FBI's Salt Lake City field office. "Some of the larger corporations have pretty robust systems in place, but a lot of the smaller and midsize businesses really just don't have much of anything in place.
"Usually it takes some sort of a breach to happen before (firms) are willing to invest in some sort of a cybersecurity program," Collins said.
All companies should be thinking about how to bolster protections against cyberthreats in today's environment, he said.
"If you don't, it's really going to come back and hurt you later," Collins said.
While the cost of developing a plan can often be expensive, doing so will be well worth it in the long run, he added.
John McClurg, vice president of Irvine, California-based technology firm Cylance, spoke on the development of a new security paradigm rooted in artificial intelligence.
AI programs are already being used to help protect important data from would-be hackers, McClurg said.
"That's encouraging because the rate and pace at which the bad guys, adversaries and threats are working, there is no reason to believe that process is going to slow down at all," he said. "Having processes that are very human resource intensive is going to increase the likelihood that you're not going to succeed (in protecting your business)."
Machine-learning, enhanced artificial intelligence will likely be the solution to provide the proactive protection needed to stay ahead of the ongoing threats of the cyber attack, McClurg said.
"AI is going to allow us to wrap our arms around the historically siloed (possible indicators of a trusted insider who is thinking of going bad) that traditionally we weren't able to wrap our arms around," he explained. "Now with the aid of AI and machine learning, we're able to access all those (indicators)."
Before artificial intelligence, "we were stymied in the world of reactive detection (to breeches) because we didn't have the tools to wrap our arms around all those early indicators," McClurg said.
"Now with big data analytics, algorithms and the aid of math, we're able to pull it together to give us those early indications," he said.
Lane Beattie, president and CEO of the Salt Lake Chamber, called cyberattacks "one of the biggest threats to Utah business."
"And yet too many businesses are either not prepared or underprepared to handle these cyberthreats,” Beattie said. "No matter the size of the business or organization, everyone should have a cyberplan in place. This is no longer just an IT problem; it’s an organization problem that needs to be addressed by every business across the state, in every industry and in companies of all sizes."
Conference attendees heard from top experts from government and the private sector about how to assess cybersecurity threats, the challenges for small and mid-size businesses, and how to create cyber incident response plans.
“While cyberattacks may be inevitable, they do not have to be devastating. Preparing for this reality will allow businesses to respond in a fluid manner that enables recovery,” said Matt Sorenson, chief information security officer and vice president of risk management at Secuvant.
Correction: In a previous version of this story, two comments from Anders Erickson were erroneously attributed to Eide Bailly, which is actually the name of the accounting firm he works for.