Cybersecurity Lessons From The Rhode Island State Police

By AVanGilder

After struggling with human error and cyber criminals for 30 years, it appears the information technology security industry has final reached its infancy.

So I felt while attending a North Providence compliance education event last week (courtesy of Compass IT Compliance ). The program featured one of the more interesting security speakers I’ve listened to: Captain John Alfred, who handles cyber security investigations for the Rhode Island State Police. (For the record, he works in the state’s Cyber Crimes Unit and Fusion Center Commander — the agency has come some ways from just investigating street crimes and the Mafia.)

Nobody Can Long Survive Loss Of IT

For an hour or so, Alfred discussed the breadth and seriousness of cyber-crimes, which can knock a company completely offline. The consequences of any such business discontinuity can be vast. For example, he mentioned the recent Hurricane Maria-caused infrastructure disaster that struck Puerto Rico. The territory’s power grid is, effectively, gone: No computers, no transactions, etc.

With that in mind, how many businesses can function without their data or networks for a day, let alone two weeks? A cyber-attack can leave any organization just as helpless as a natural disaster would. How long can a company go without Web access? “Some businesses can’t bounce back,” he said.

No one is immune. Alfred even cited a massive data loss at a local police department — an event that (at least temporarily) erased something like seven years of criminal-investigation related data and files.

The More Security Changes…

Alfred covered the usual suspects in his presentation: phishing, ransomware, hackers, and so on. The methodology repeats itself: cyber criminals find one point of vulnerability, enter it, and move “horizontally,” penetrating deeper and deeper into the network or data center. Then they strike when they are ready.

And perhaps they are going to only get more daring and effective. Breaches seem to be getting more severe over time. For instance:

  • Target: The 2013 breach, enabled by the stolen credentials of an air-conditioning contractor, affected 41 million people.
  • Yahoo: Also in 2013, hackers exposed data on 3 billion end
  • Equifax: This recent breach caused the bleed-out of crucial data on 145 million people — allegedly because of one negligent IT employee. Alfred noted the credit reporting bureau’s CEO is now gone, as is only fair. (It appears possible that there was a cultural problem that enabled managers to ignore blatant security lapses, as a Fortune article notes.)

Security Is A Group Challenge

At the end of the day, every company, from the CEO on down, must take responsibility to protect network credentials and sensitive information. That means no yellow stick-it notes with passwords written on them, glued to the computer monitor. “It takes a village,” said Alfred.

And so it does. Success requires training, education, testing, firewalls, and policies. This can be complex. Are you interested in beefing up your cybersecurity, but don’t have the internal resources? Consider turning to a managed security solutions provider (MSSP). When you’re ready, our experts are here to discuss cybersecurity in New England — and beyond.