As old-fashioned exchanges have given way to high-tech trading systems, it wasn’t shocking earlier this year to learn that hackers had broken into Nasdaq. But there have been several more high-profile hacks, including one targeting Citigroup and today’s hack attack on the CIA.
The episodes concern Patricia Titus, a Chief Information Security Officer at Unisys now and a decade ago one of the critical staff there to aid the acting secretary of the Treasury Department during 9/11. A few months ago, she wondered if the Nasdaq hack represented something new and could indicate more hacks were coming. Now she says no industry is safe from cyber-attacks and that the government needs to share more information with U.S. companies that are on the front lines. An edited version of our conversation:
What do you think of the recent hacks?
It’s taken about seven years for our financial institutions to change their culture of how they secure their systems. So it’s troublesome that we’re seeing more attacks against our financial institutions.
The troublesome part, in my mind, is they [the financial institutions] were ahead of the hacker curve. And even with all of the sophisticated technology that’s been deployed, it’s still taking place. Now hackers are using the easiest possible target, and that’s the human factor. One of my big soap-boxes is if you don’t start educating from the board level down to the cleaning crew, they become targets of opportunity for the hackers.
How could a cleaning crew enable a hacker?
Maybe they’re cleaning your offices and on a break they all pull out their wi-fi [devices] and are maybe on a guest network. Hackers are looking for the easiest way to gain access. Or some of these attacks are getting so clever that they look like legitimate emails. The e-mail subject line is something like “recruitment plan for 2012.” Someone goes in, clicks on an Excel spreadsheet, and launches a backdoor.
Financial institutions have been on the cutting edge, and to see this number of attacks happening – is it time for us to look at another way to protect data and our infrastructures? Are we still lacking basic cyber-security hygiene in our networks, missing the basic things, allowing perhaps too much mobile access?