ValueWalk’s Q&A session with Peter Martini, the President and Co-Founder of iboss. In this interview, Peter discusses his and his company’s background, Shadow IT and Cloud security threats, major data breaches, if companies have cyber insurance, if Apple computers get viruses, if smartphones and smartwatches are vulnerable to hackers, fending off phishing attacks, and using multi-factor authentication.
Can you tell us about your background?
I’m the president iboss, a leading cloud cybersecurity company. I have over a dozen patents in my name focused on cloud cybersecurity. I have been with iboss for over a decade helping to solve the challenges organizations face with the changing cybersecurity landscape.
What does iboss do?
iboss provides cybersecurity through the cloud to secure user internet access on any device, from any location. At any given second, iboss is securing millions of end users Internet access to protect them from online threats. Our clients includes federal government agencies, finance and insurance, manufacturing and retailers such as Urban Outfitters and REI.
The latest trends in tech are very hard to understand unless you are an expert - can you tell us about the threats landscape?
Two threats that are currently defining the landscape are Shadow IT and Cloud security.
Shadow IT is the use of any software or programs that has not been developed by or reviewed by a company’s security team. This threat poses obvious risks as it opens the door to attacks that an IT department might not be prepared for.
In the case of cloud applications, company and personal data is dispersed across multiple servers in the cloud, whether through mobile devices or cloud applications, to the point where users have little to no control over who can access their data and where it resides. That’s where companies like iboss come in. With remote employees using cloud applications like Google Docs and Microsoft Office, businesses no longer operate in one central location. Unlike traditional hardware-based cybersecurity providers like McAfee or Symantec, iboss specializes in securing data in the cloud so that users are secure no matter where they are or what device they are on.
An analogy I like to use is that in the past, you were able to build a moat around your “castle” of data, which was all stored in one place. Now, that data is stored in several places and people access it on the move, so you must build an army that can move with it while providing that same level of protection.
In terms of cloud security can you detail what the big names are doing:
Google Drive, Dropbox, OneDrive and others have redefined how businesses work. Programs like Google Docs have become invaluable for businesses of all sizes and have been a boon for productivity. However, these platforms can only do so much to protect data for the companies that employ them. While Google Drive, Dropbox and OneDrive have strong security measures in place to keep data safe, it is ultimately up to users to ensure that those security measures actually work. This is largely due to permissions options. Cloud application platforms will store your information in a vault, but if your employees open the door to others outside or your organization, there isn’t much these big names can do to defend you. Platforms like iboss limit and monitor permissions and ensure employees don’t accidentally compromise vital data.
Business is no longer in one central location or on authorized devices and applications and as a result, hardware-based security solutions like Symantec and McAfee can’t adequately protect their users. The solution to protecting the modern workforce is in the cloud. iboss's cloud offering provides organizational control and security no matter where the user is or what device they are using.
There have been a lot of data breaches lately. Can you tell us some of the major ones?
A large portion of recent data breaches have come in the form of ransomware, in which hackers hold data hostage until a ransom is paid. While once mainly a concern of private corporations, we’ve actually seen a sharp increase in the number of ransomware attacks carried out on cities, states and other public institutions. Some recent notable examples were the attacks on Atlanta, Baltimore and Lake City, Florida. In each attack, hackers were able to shut down or severely impact government processes and services until a ransom was paid or until services were reset and restored.
This is just one example of a type of sophisticated and targeted attack that is on the rise and that is more difficult to identify and protect against.
After a breach, organizations must ask themselves how and why it happened and why it took so long to catch it. The length of time to detect and respond to a threat are critical components in preventing future data breaches and insight can be used to guard against future attacks.
Do these companies typically have cyber insurance which would cover an event like this?
Almost all companies have cyber insurance, but to secure coverage and to maintain it, certain criteria must be met -- criteria which are strictly assessed. For example, insurance assessors demand that companies not only have full control over where their data resides and who has access to it, but they also require that companies have a strict set of cybersecurity criteria for every single vendor that works with the company.
In order to meet the criteria for insurance, most organizations have implemented standard security assessments for every new vendor to ensure those vendors are not liable to become a breach point.
Is a hack the same as a data breach?
No. A breach is defined by the movement of data outside of a system. A system can be hacked without any damage to that system taking place.
Growing up we were told Apple users did not need to worry about viruses is this still the case?
Unfortunately not. While Apple products may be considered less prone to viruses compared to Windows, Apple devices are also less prolific in their security. In the past, Apple’s user base consisted mostly of consumers. Since hackers targeted major businesses, the company had less to worry about compared to a company like Microsoft. However, that’s no longer the case. Attacks on the individual are so much more frequent and now companies like Apple, which has become a major B2B seller as well, have much more to lose.
Are any of the tech giants doing anything to help guard against data breaches?
The most common type of protection that major organizations are implementing is multi-factor authentication (MFA). MFA is a simple process which does a great job of identifying and eliminating potential threats by detecting anonymous log-ins and proactively sending alerts for a potential threat to users. This used to be fairly niche process but now almost most every vendor will offer MFA or at the very least require verification through an app or text.
PCs were much more guarded than phones, can phones also be breached?
Yes, phones are also vulnerable to breaches. The operating systems for phones are designed differently, however.
As an analogy, imagine that in a PC, the operating system is one big bucket. If hacked, a virus can move throughout the bucket and access data in several different areas. However, imagine the operating system in your phone, which is built on apps, to be several different buckets. If an app is compromised on a phone, it is contained to that app and hackers don’t have the opportunity to move horizontally within your phone to chase after other data.
What about smartwatches?
Smartwatches are usually connected to your phone, so yes, they are vulnerable to hacks. Any wireless device that transmits data has higher potential for exposure. A smartwatch from a generic company may be more vulnerable than ones from major manufacturers like Samsung or Apple. Since these larger companies they have more to lose, their code base is typically stronger.
What companies and consumers can do to fend off these more sophisticated and customized phishing attacks?
In order to fend off phishing attacks, companies need to address one of the root causes of why these attacks are successful -- mobility. If employees spent all day in their office on their company computers, phishing would be much less of an issue. Network security systems would catch these threats and prevent them from manifesting. However, the traditional network perimeter no longer exists! People are constantly working on their phones, on their tablets and on their work-provided devices on the go. In many instances, these mobile employees forget to turn on their VPNs -- mobile devices which connect them to their office security system -- leaving them completely exposed to phishing attempts as well as other types of attacks.
In order to ensure that employees are secure no matter where they go, corporations should implement cloud security platforms (such as iboss), which shift the focus from protecting perimeters to protecting users no matter where they go.
Additionally, it is critical that companies provide more training. At some point, an employee will likely end up on an unsecured device and will need to rely on his or her own knowledge to avoid a potentially devastating mistake.
Given this continuing direction of attacks, what can we expect in the wave of innovation around phishing in the future?
There are two types of phishing attacks that are most widespread. The first is what’s called a blanket attack, in which a hacker will send out a general phishing email without any connection to their target.
The second, and much more dangerous approach for users, is a targeted attack. In this instance, hackers will research their targets’ friends, family, colleagues and others to develop incredibly sophisticated and intimate attacks. By utilizing public social media profiles and other information found online, hackers imitate loved ones to infiltrate a user’s system and steal personal information. These types of attacks have been on the rise and they seem to show no signs of slowing.
Thoughts going forward on future threats we will see
We should expect more targeted threats like the ones discussed above. Attackers will continue to arm themselves with public information available on social media to carry out intimate and hard-to-spot attacks on specific users.
The targets for attacks are changing too. Big banks used to be the top targets but now that the tools needed to execute these attacks are cheaper, more individual users are being targeted.
Final advice to non-techies about how they can best guard themselves in today's changing tech environment?
Use multi-factor authentication wherever it’s offered, especially for an application that has access to your financial information. Limit how much personal information you share on social media. Remember that you’re not required to fill out every single part of that profile when you sign up. Use tools that restrict viewing access to your social media accounts. If you ever come upon a suspicious link, even if it’s sent from friends or family, just don’t click.