Carousel CISO Jason Albuquerque was invited to speak on a cybersecurity panel at Providence Business News to share his cybersecurity knowledge gained through real-world, real business experience. During the event, Jason shared important information about breach preparedness, saying “in the case of a breach, how can your teams react? Do they know exactly how to respond? They must be able to develop ‘muscle memory’ to respond.”

Here, PBN recaps some of these sentiments and other panelists’ commentary during an interactive morning spent discussing hot button cybersecurity issues. We also invite you to connect directly with Jason on Twitter and LinkedIn.

A company’s best asset, its own employees, can be its worst enemy when it comes to cybersecurity and employees being properly trained to stay ahead of possible attacks is critical for an organization to keep its valuable data protected.

That was among multiple talking points discussed by a panel of cybersecurity officials and experts Friday morning at the Crowne Plaza Providence-Warwick as part of Providence Business News’ annual Cybersecurity Summit.

Moderated by Doug White, chair of cybersecurity networking at Roger Williams University and podcast personality at Security Weekly, six panelists shared their views on an array of topics during the two-part summit, including what steps are there to safeguard a business from the latest cyber risks, building investment in order to implement effective security programs and filling the skills gap in the cybersecurity industry.

Eric Shorr, CEO and president of Secure Future Tech Solutions of Warwick, said a company’s business email can be compromised by hackers getting into the email system, noting that Microsoft Office 365 has a web portal that hackers can access without using email.

Shorr recalled an instance where a law firm was compromised and the hackers sent out “fake invoices” to every client it had on file.

“Talk about devastating,” Shorr said. “What kind of law firm wants to have that reputation. This is a fairly common attack where a construction company had the exact same attack.”

Colin Coleman, a partner for Providence-based law firm Partridge Snow & Hahn LLP, said third-party vendors and contractors can be a significant cybersecurity risk for companies when electronically connected to them because they “may not be as secure” as the companies that are utilizing their services.

“So, there is great vulnerability there and it’s not recognized until the

attacks happen and somebody gets hacked,” Coleman said.

Jason Albuquerque, chief information security officer for Exeter-based Carousel Industries of North America Inc., said his concern is the industry not having enough people to fill those needed cybersecurity jobs by 2020. Plus, he said that certain decisions people make on how they need to address cybersecurity “may not be where they need to be.”

Shorr also noted that small- and mid-sized businesses “still do not recognize” that they are at risk of a cyber attack and “don’t take it seriously.” Francesca Spidalieri, senior fellow for cyber leadership at Salve Regina University’s Pell Center for International Relations and Public Policy, backed up that claim with data showing that even though large corporations being hacked would garner the most attention, small businesses have the lost to lose if their data is breached.

According to her figures, 43% of cyber attacks target small businesses, and 60% of those small companies go out of business within six months of an attack. It costs a company on average $879,000 because of damage or theft of IT assets and 48% of the attacks are caused by a “negligent employee or contractor.”

Cyber breaches are also not a quick fix. Spidalieri noted an average company takes close to a year to identify the incident and to contain it.

In the second session of the summit, the panel dealt further with ways that companies should build defenses against cyber crime, and, beyond that point, how to react effectively when a cyber breach or attack has happened.

One aspect of self-protection involves locking down the security of third-party vendors. The cautionary tale that everyone remembers is the cyber breach into Target several years ago that was done via Target’s HVAC vendor.

“We need to be responsible and ask vendors to prove they have protections in place,” said Cindy Lepore, assistant vice president for business insurance with Marsh & McLennan Agency. For instance, contracts with vendors should indicate whether the company or the vendor is responsible for fines that may be imposed after a security break.

Albuquerque added, “Vendors are an extension of your own network.”

This principle applies in a similar way to a company’s supply chain and its cloud computing provider.

Defensive measures also involve the purchase of cyber insurance, often considered to be a unique animal in the insurance world, offering coverage that is not generally done well or maybe at all in other business insurance policies.

“You have to read the policies and understand every detail,” said Lepore. Insurance companies could deny coverage if a company does not use good internal practices to protect its computer systems and data.

State and federal laws that require companies to report cyber attacks are meant to be a help in securing data systems and protecting individuals, but they also represent a kind of a threat to companies – in the form of fines that may be imposed for lax internal cyber security.

These laws vary by state and companies doing business in several states must know and comply with cyber laws in all places they do business. January 1, 2020, is the start date of a new California cybersecurity law that reaches almost up to the very rigorous levels of protections now in place in the European Union. Over the coming few years, people involved in cybersecurity will be watching the impact of the California law.

The panel closed with remarks by U.S. Rep. James R. Langevin, D-R.I., a member of the House Armed Services and the Homeland Security Committee. Langevin also sits on the five-month-old Cyberspace Solarium Commission.

The commission, which plans to issue a report next spring, is tasked to examine what role the public and private sectors should have in protecting the country’s information infrastructure; how the federal government should respond to cyber attacks from foreign soil; and how America and its allies should enforce global cyber rules.

This post originally appeared on PBN.

• cybersecurity summit, 
• National Cybersecurity Awareness Month, 
• security