Speaking at a session titled, "The new cybersecurity domain: Your worst day is a quiet day," Rich Baich, a principal at Deloitte & Touche, said enterprises must take some of their focus off network weaknesses and onto the "center of gravity" -- the data.
"If you just get the vulnerabilities, you will never win the war," Baich said. "You have to assume someone's already been in the house."That means, one must instead concentrate on data going out the door, he said. While basics, such as patching and logging, can help prevent or identify a majority of incidents, organizations must institute a personal touch to their individual environment. For example, security practitioners set a trap by labeling a certain file "Top Secret" and then study if an intruder has combed through it, looking for sensitive data to siphon out.
Panelist Dan Srebnick, CISO of the New York City Department of Information Technology and Telecommunications, agreed that organizations must reconsider their tactics when it comes to stopping today's attacks.
"Too much the worry is about what's not getting in rather than what's going out," he said, adding that companies should consider geotagging their documents. "If you see a lot of data going out to where it shouldn't be going, sound the alarm."
Then, show the proof to upper management to help make the case for security dollars, Srebnick said.
The panelists spent much of their discussion preaching the basics -- and key among those is risk education.
"Security is everybody's job," Srebnick said, later adding, "It is never too late for anyone to become aware."
Baich said to start with the top, not just because cultural change moves quicker if senior management accepts and promotes it, but also because corporate executives are the ones being pinpointed in highly targeted attacks, known as spear phishing.
He closed with a recommendation that security pros consider their "cyber profile." He drew on the example of a burglar driving down the street of a neighborhood, casing homes to see which one appears to be the easiest target.
In all likelihood, all that organizations need is a little security tune-up, he said. But, drawing on the title of the presentation, if all appears calm within the network, don't be fooled.
"If your enterprise is quiet, you're probably missing out on something," Baich said.