Jason Manar, Chief Information Security Officer at Kaseya
FIU and DigitalEra Group, recently hosted their sixth annual Secure Miami Conference on May 5th, 2022. Secure Miami brings the cybersecurity community together to address the latest security threats and strategies in a networking forum.
Dr. Mauricio Angee, Associate VP & CIO at University of Miami Health System (UHealth), moderated the panel discussion on “Resilience against Automated Threats.” Read this blog post to learn what panelist Jason Manar, CIO at Kaseya, had to say regarding misconfigurations and human errors in organizations’ security programs.
Dr. Mauricio Angee:
Reports coming out of the industry highlighted that 90% of the incidents are accredited to misconfigured systems and human errors. Are organizations paying attention? And to follow up what should organizations and vendors do to enhance our cyber security programs?
The latest that I saw from an IBM report was 93 to 95% of all intrusions were attributed back to human error, and or, some type of social engineering, whether that's a fishing attack or whether that's smishing, any of the social engineering or attack vectors.
During my career in the FBI, what we saw the most was precisely this. I've talked for over a decade and tried to help other companies in that capacity. Fortify their education process, and put a policy in place that actually has teeth. Also, in oftentimes I find that teaching executives and being analogous to where we are in the world today, not where we were: It's crucial.
So, for example, everyone out there, my turn to ask you a question: Would it be acceptable right now today if you left the very last person in the office and left the doors wide open and didn't set the alarm for physical security. Would you come back? Would you have a conversation with anybody about physical security about that, or would they be like, okay, you've got a pass? And it doesn't matter whether you're in Miami, it doesn't matter whether you're in Kentucky, you know? No more can we leave the doors of our homes or of our offices or metaphorically where our crown jewels are in this digital world, which is on our network. All our crown jewels are on our network.
And so, is it acceptable to allow people time after time? Because I know that you have a training program. Almost every single CSO or CTO or CIO I talked to after an incident, with their head facing down, has said “Jason, I knew John Smith has been my problem child for the last year. And we couldn't ever get them to not take our fishing campaign seriously. They constantly over and over were offenders.”
And I said, “So what did that policy look like? What were those discussions at the Board Table? How did you address and push that risk up to management?”
Sometimes I would get, “Well, we had several conversations”. A couple of times I got, “Well, it's my CEO”. But that was a couple of times. My point is, most of the time we know who the offenders are, but we haven't done our due diligence either to push up what that risk is so that we can act, or have a policy in place, that gives it the same teeth as physical security.
Back when I was in the FBI, five years or so ago, I was on a stage and I was espousing something very similar. And I would say back then, “I'm a huge baseball fan. Why don't we have three strikes and you're out policy? And if not, three strikes are out, at least some kind of teeth.”
And I'll tell you personally, after the first incident, not only do you have to go through training again, depending upon your level of access, you must talk to me after your second incident. You must do the training with your manager and their manager. You must talk to me and the CEO, and then, on the third strike within the same calendar year, that's a whole different conversation.
People take these campaigns super seriously if we take them super seriously. And when we have unfettered data that supports what we know to be true, we must bring that to the forefront.
DigitalEra is a leading solution provider of network and cybersecurity products and services, serving major business, education and governmental agencies throughout the US. In addition to access to the most sophisticated and effective security products, DigitalEra provides expert guidance on use as well as ongoing security counsel and insights that help their clients prevent security breaches and mitigate threats. For more information, visit:www.digitaleragroup.com.