— Yahoo, Target, Anthem, Home Depot, Sony, eBay, Staples, Kmart, P.F. Chang’s, the U.S. Postal Service, the White House, the Democratic National Committee.

The list of companies, government agencies and groups that have been hacked grows longer every year.

Cybercrime knows no boundaries and it impacts tens of millions of Americans every year, at home and at work.

But there are ways to prevent the breaches and minimize the risk.

The San Diego Business Journal has assembled a panel of five of the region’s top experts in the field of cybersecurity. At a special forum on Oct. 19, they will discuss the challenges facing businesses, information technology officers, medical administrators, law enforcement and academics. They will talk about some of the technologies that are being used to counter cybercrime and offer potential solutions.

Here is a preview.

photo

Darin Andersen

Darin Andersen

Chairman/Founder CyberTECH

How did you become interested in cybersecurity and how long have you been involved in the field?

I’ve been involved in cybersecurity for about 15 years. I first became interested in the field as an outgrowth of my previous roles in networking technology.

What percentage of businesses do you think proactively guard against cybersecurity threats?

These days, I’d estimate that nearly 100 percent of businesses have some understanding that they need to be thinking or concerned about cybersecurity. But many of those — probably more than half — lack the proper resources to fully implement an effective enough program.

Do you think cybersecurity remains an afterthought for most businesses? If so, why?

There’s a large and increasing category of companies that take cybersecurity very seriously and apply the necessary resources to combat the threats that are out there. But too many companies regard it as a “nice to have” as opposed to a “need to have” — similar to protecting your home with additional locks on your doors and outdoor security lighting. These days, cybersecurity is a “need to have.”

Do San Diego businesses have any unique challenges?

Yes, because we’re a global hub for cybersecurity and that makes us more of a target. We have a broader footprint with a large military presence, along with our adjacency to one of the world’s busiest international borders. We have a unique set of capabilities for cybersecurity hardware and software, which makes us a bigger target for our adversaries. Being in San Diego, we’re even more mindful that these are dangerous times.

Can businesses really keep up with increasingly sophisticated hackers?

Certainly, the goal is to make yourself a hard target, not a soft target, by practicing what we call good cybersecurity hygiene. These practices include deploying stronger technologies and training your people to be ever-vigilant about their own digital habits as well as corporate security.

Have you or your business ever been hacked?

Yes, I’ve been victimized by identity theft, aimed at myself and family members. And yes, many of the businesses that I’ve been involved with have either been subject to hacking attempts or successful hacks.

Have you watched the TV show “Mr. Robot” in which a group of hackers takes down the U.S. monetary system and disrupts the global economy? How real do you think this scenario is?

I do watch “Mr. Robot” and to me, it definitely forebodes an alarming scenario that’s both realistic and believable. We need to ensure that we protect ourselves because we do have those types of adversaries. It’s not necessarily every nation-state, but I’m talking about those more radical nation-states and groups that want to disrupt our economy and political system, and change our way of life.

What’s your favorite movie/book/TV show about hacking/cybersecurity?

“War Games” (1983) is still my favorite movie. It’s one of the original computer hacking movies — a young hacker gains access to secret U.S. nuclear war systems. I’m also a big fan of “The Art of War” by Sun Tzu, the timeless military treatise that dates back to 500 BC.

What is the most important advice you give businesses?

Always make yourself a hard target. Hope for the best, be prepared for the worst.

photo

Gary Hayslip

Gary Hayslip Deputy Director, Chief Information Security Officer City of San Diego

How did you become interested in cybersecurity and how long have you been involved in the field?

Back in the late 1980s, I became interested in computers and the idea of building networks. Then in 1996, I read a book on the concept of information warfare. The idea of how networks could be used for both offensive and defensive means fascinated me and that started my career in cyber. I have been doing cybersecurity for over 20 years.

What percentage of businesses do you think proactively guard against cybersecurity threats?

I think for small businesses it is probably 10 percent-15 percent. As organizations mature, they tend to spend more for information technology and more resources are focused on security. Unfortunately, I find when I speak with companies they think I have a firewall and anti-virus on my desktops so I am good; not even close.

Do you think cybersecurity remains an afterthought for most businesses? If so, why?

Yes, I think most businesses are just focused on keeping the lights on. I honestly think as organizations grow they then think to add security as they purchase more information technology solutions to be competitive. The only time where I have seen that to not be the case was small businesses that were operating in a vertical that had “compliance” requirements which forced them to have security controls in place.

Do San Diego businesses have any unique challenges?

I do think because of the unique technology clusters we have located here in San Diego we are an attractive target. We are the second-largest city in California and the eighth-largest city in the U.S. Plus, we have DoD, telecom, biotech and a growing cyber/IoT startup scene. Couple that with major research universities and there is a large bull’s eye on the region. So if I was a business here in San Diego, I would except the fact that I will be attacked.

Can businesses really keep up with increasingly sophisticated hackers?

I don’t think they have to keep up. I think what they need to do is get the basics down and then use a framework to actively inventory, assess, scan, remediate and monitor their networks. There is no organization that will ever be 100 percent hacker-free. There are always risks with every technology an organization implements. What they can do is put in an enterprise security program, implement basic security processes to include technologies such as anti-virus, firewalls, patch management, encryption etc. Then train their security teams and the organization on security awareness. To sum it up, cyber-security is a life-cycle and organizations need to understand it’s a continuous business process they need to factor into their strategic business plans.

Have you watched the TV show “Mr. Robot” in which a group of hackers takes down the U.S. monetary system and disrupts the global economy? How real do you think this scenario is?

I love that show! The hacks/tools they use are real actual tools. The scenarios in that show are relatively real; to get them to happen here today, it is not totally impossible because there are always risks with massive, sprawling critical infrastructure. One thing I do think is kind of farfetched is that in the show they got away with it and left very little forensic evidence. Something of that size, you leave digital debris behind.

What’s your favorite movie/book/TV show about hacking/cybersecurity?

Movie — “Hackers,” “Swordfish” and “Ghost in the Shell”

Book — “CISO Desk Reference Guide,” “TCP/IP Guide”, “Silence on the Wire,” and “Takedown”

TV Show – “Mr. Robot,” “The I.T. Crowd”

What is the most important advice you give businesses?

That security isn’t hard; accept it as just a part of doing business. Bake it into your business strategy early so as your organization grows you will already have it in place. It is more expensive to try and add security later after an intrusion. If you have security in place, you may have an incident but the impact to your company and its operations will be lessened. The goal is to build resiliency into your IT infrastructure so you can absorb an incident and not go down.

photo

Stephen Cobb

Stephen Cobb Senior Security Researcher ESET North America

How did you become interested in cybersecurity and how long have you been involved in the field?

In the late 1980s, I saw how devastating computer theft could be for companies, and how hard it is to keep confidential data secure when you start networking computers. That led to my first book on the subject, a guide to PC and LAN security that appeared in 1991. I started providing security consulting to companies and became a CISSP (certified information systems security professional) in 1996.

What percentage of businesses do you think proactively guard against cybersecurity threats?

Well, I would hope that all companies are at least doing some proactive protection of their systems and data against cybersecurity threats, but sadly the percentage who are doing all the things they should, and doing them correctly, is probably well below 100 percent. Financial institutions tend to be closer to 100 percent than health care organizations. To some extent, this is understandable — banks have been fully computerized for a lot longer than doctors and hospitals — but every organization in every sector needs to get as close to 100 percent as possible.

Do you think cybersecurity remains an afterthought for most businesses? If so, why?

This does vary by sector. For example, some of the first criminal hacking was against phone companies in the 1970s, so telcos tend to think of cybersecurity as part of the business. Sadly, not enough businesses realize that any type of commerce that involves data can be targeted by one kind of cybercrime or another. You sometimes encounter companies that are really on top of security and then find that they were hacked in the past.

Do San Diego businesses have any unique challenges?

Some types of information, and some types of unauthorized system access, are particularly high value targets, for example, defense-related systems or biomedical research data and intellectual property. And San Diego has these types of target in abundance. At the same time, San Diego has a highly collaborative and supportive community of cybersecurity professionals, which is good to know.

Can businesses really keep up with increasingly sophisticated hackers?

Yes. The myth of the uber-hacker is one Hollywood creation we could do without. The main reason that we are not catching and convicting a lot more criminal hackers is they enjoy the advantage of sheltering in countries that are either failed states or complicit states. With constant urging, from customers and consumers, as well as government agencies, many businesses continue to improve their security. And our friends in law enforcement are a lot more cyber-savvy than even a few years ago. The problem is we need more — more resources devoted to bringing swifter justice to cyber-perpetrators, and more people stepping up as cyber-defenders.

Have you or your business ever been hacked?

If I enter my email address at haveibeenpwned.com I can see it was compromised in numerous security breaches, but I think I managed to change my password fast enough in each case.

Have you watched the TV show “Mr. Robot” in which a group of hackers takes down the U.S. monetary system and disrupts the global economy? How real do you think this scenario is?

“Mr. Robot” takes place in an alternative reality where one giant corporation got “too big to fail” to a degree we don’t see in the real world, and at the same time that company made some fairly obvious mistakes in its cybersecurity implementation. So the “Mr. Robot” 5/9 scenario was never going to be realistic. The show gets credit for showing a wide range of hacking techniques fairly realistically, but the underlying premise is more surreal than real.

What’s your favorite movie/book/TV show about hacking/cybersecurity?

Brian Krebs’ book “Spam Nation” explains a lot, and widely quotes UCSD’s Stefan Savage, so that’s one of my favorites. I also like Ulrich Beck’s “World at Risk” for the way it frames modernity in terms of technological risk. In terms of film and video, here are two golden oldies I like: “Sneakers” and “Max Headroom.”

What is the most important advice you give businesses?

Base your security decisions on a thorough and frequently refreshed risk analysis. That means being realistic about how pervasive cybercrime has become.

photo

Eric Basu

Eric Basu CEO Sentek Global

How did you become interested in cybersecurity and how long have you been involved in the field?

In 2005, I was at a conference for the Navy, the topic of which was how to network enable all of the systems in the Navy on a common protocol and network. They had 10 goals of the initiative to network all of the systems, and when I asked why security was not listed as one of the 10 goals, the panel of admirals gave blank stares and then one said that “it will definitely be on the next slide deck.” That was when I realized that as more and more systems were brought onto the internet, security would become a critical issue rather than just a side note.

What percentage of businesses do you think proactively guard against cybersecurity threats?

Maybe 10 percent.

Do you think cybersecurity remains an afterthought for most businesses? If so, why?

Yes. Because unless it is seen as essential for the business — in other words, the business will fail because of a security breach — most businesses prefer to prioritize other issues (e.g. sales, employee issues, customer service, easy access to systems.). In addition, most security comes at a cost and with some inconvenience, and businesses are unwilling to pay those costs or put up with any inconvenience. Many businesses, particularly small businesses, also feel that the threat is overrated, or that they are too small to merit attention from hackers.

Do San Diego businesses have any unique challenges?

From a cybersecurity standpoint, we’re much like most other urban areas, with the exception of defense contractors. Because they deal with classified and sensitive U.S. government information, defense contractors often are targeted directly by nation states.

Can businesses really keep up with increasingly sophisticated hackers?

Yes and no. If a nation state or highly sophisticated attacker wants to get you, they probably will. It’s the equivalent of trying to put multiple locks on your front door when someone is coming at you with a bulldozer. However, most businesses can lower their risk profile significantly with some very basic steps.

Have you or your business ever been hacked?

I wouldn’t say if we were. We do, however, get targeted on a fairly regular basis.

Have you watched the TV show “Mr. Robot” in which a group of hackers takes down the U.S. monetary system and disrupts the global economy? How real do you think this scenario is?

Well, there are groups (some inspired by the show, no doubt) who attempt this all the time. So far, luckily, they’ve been unsuccessful. As we saw with the Bangladesh SWIFT hack that attempted to steal $1B, though, systems that were thought to be unhackable are continually proven wrong.

What’s your favorite movie/book/TV show about hacking/cybersecurity?

I can’t say that I have one.

What is the most important advice you give businesses?

  1. Know what your “family jewels” are for your business — what can you cannot afford to lose and who would want to steal that data.

  2. Ensure those systems are protected to the greatest degree, and as much as possible segmented or completely separated from less secure systems on the network.

  3. Employ a layered defense strategy including perimeter and end-point defense.

  4. Ensure that if you’re relying on your own employees to manage your security they have the appropriate training to do so.

  5. Train all of your employees (not just the IT staff) on cybersecurity measures (i.e. never give a password over the phone, never click on links in email, etc.).

  6. Employ outside companies to verify your security. A vulnerability assessment and/or penetration test performed by neutral professionals will almost always provide useful information on your security gaps that have been missed.

  7. Build security into your annual budget. You can’t do one vulnerability assessment and purchase a firewall then forget about security for the next year.

photo

Winnie Callahan

Winnie Callahan Director, University of San Diego Center of Cyber Security Engineering and Technology

How did you become interested in cybersecurity and how long have you been involved in the field?

My serious role in cybersecurity began in 1995 when I worked with U.S. Strategic Command and the University of Nebraska to build the Peter Kiewit Institute, an initiative to combine engineering, information technology and cybersecurity into one of the nation’s foremost cybersecurity programs, offering both graduate and undergraduate courses/degrees.

What percentage of businesses do you think proactively guard against cybersecurity threats?

I think most businesses think about cybersecurity and the massive hacks of late have encouraged many to move to action. Board members have grown more and more concerned about “their liability.” The issue is how many really know what to do and how to do it. In reality, I suspect that less than 15 percent to 20 percent have addressed cybersecurity in the appropriate fashion.

Do you think cybersecurity remains an afterthought for most businesses? If so, why?

Cybersecurity does remain an afterthought for most businesses. It’s very hard to spend a lot of money on something you don’t understand and on something that even the company techies often have trouble attempting to quantify. Cyber is not something that can be bought and weighed by the pound. It is also complex from the technology itself, to the training requirements, to the issues now in the mainstream involving outsourcing, clouds, patches, firewalls, insurance, third-party vendors. The list is massive and very intimidating to explain to laymen and to even begin to have them understand the nature of the beast.

Do San Diego businesses have any unique challenges?

San Diego has a lot of unique challenges. The city is rich in industries such as biotech, chip makers, mobile communication providers, a robust financial sector, the usual critical infrastructure businesses such as power, water, transportation. To complicate things, you have a huge port complex, serve as a gate to the Pacific and Asia, have one of the world’s largest Navy contingents, the Intel community is here and you have massive tourist attractions. In short, San Diego is a “wonderful” target for all types of attacks!

Can businesses really keep up with increasingly sophisticated hackers?

Businesses absolutely cannot keep up with the increasingly sophisticated hackers. In a way, this is a city that draws every bad element from street criminals who see cyber as low-risk/high-reward opportunities to well-funded nation states. This means we are ripe at all times for what is called “advanced persistent threats.” We have to be right every time, while the bad guy only has to make it through once.

Have you or your business ever been hacked?

Yes, universities are excellent targets for a host of reasons. As an individual, I’ve had my share of spear phishing, for example, but have not suffered the catastrophic attacks like identity theft. There is a saying that there are two types of people or businesses in the world: those that have been hacked and know it and those that have been hacked and haven’t figured it out yet.

Have you watched the TV show “Mr. Robot” in which a group of hackers takes down the U.S. monetary system and disrupts the global economy? How real do you think this scenario is?

I have not watched “Mr. Robot.” To the question of whether or not the U.S. monetary system could be brought down and disrupt the global economy … the answer is probably. Think back to Georgia and Estonia … not a shot was fired. Then think about the massive thefts of credit card numbers and personal information.

What’s your favorite movie/book/TV show about hacking/cybersecurity?

My favorite book on cyber was “Cyber War” by Richard Clarke. I’ve also read and reread “Secrets and Lies” by Bruce Schneier. We often use this book to introduce students to cyber security. It has impact.

What is the most important advice you give businesses?

Businesses should develop a fully vetted cybersecurity policy complete with all the necessary elements. Hire well-educated people and keep not only your technical team well-trained, but your employees as a whole. Remember that approximately 80 percent of all breaches are a result of people and most are within your organization. Good people do careless things, but if you don’t train, you can’t blame!