Cyber Experts: Get Back to Basics

NEW YORK CITY—Although cyber security is complex, experts at the second annual ALM cyberSecure conference in Midtown Tuesday said that organizations which haven't addressed it can and should start to tackle the issue by taking some basic steps.

“Companies like Target and Home Depot are not doing the basic things to protect themselves, stated Doug Ferguson, chief technology officer, Stirling Properties. “Funding the basic measures helps organizations deal with cyber security.”

By way of example, he added, “If you're still dealing with actual desktops at this point, you have an issue. “We made every desktop virtual so every time users logged of, they're refreshing. Virtualization is not that hard to do. The laptops we push out are swapped out every three months, and once they go out, we just assume that they're infected. But virtual desktops are refreshed every night.”

At WeWork—perhaps in keeping with the shared space idea behind the company—employees are taught awareness. “We say, 'You can do a lot with firewalls but sometimes it's the human element where your biggest issue lies,” stated Joe Leggio, CIO. “We do internal campaigns to educate people, and provide data.”

Corporate Office Properties Trust also looks to the wisdom of employees, added Ken Kurz, VP, information Technology/CIO. “We put training programs in place and we've learned that our workforce is a huge asset in identifying threats. Also, we created an incident plan, and companies should test those out.”

Among the employee education conducted, all three speakers noted that they conduct internal “phishing campaigns,” whereby emails are sent from IT to employees inviting them to click on a link that would spell trouble had it been sent by a hacker. Many workers do open the emails and click the links, attested Ferguson.

Kurz also used some outsourced resources to essentially scare employees straight, he shared. “One out-of-the-box thing available to anyone is we had the FBI Cyber Task Force brief our company and they were happy to do it. They have used the presentation many times but it's something that real estate CEOs and CFOs aren't used to seeing. There are resources that our tax dollars go toward that we're entitled to use.”

The panelists also recommended looking to the SANS Institute for the top 20 security controls and the Dept. of Homeland Security “Cyber Resiliency Review,” which is free to download. 

But even more important than having the right tools is approaching cyber security management with the right attitude, noted Leggio. “Don't be afraid and make sure you have investment of your top executives. Impress on them that you don't want to be that next company in the news.”

NEW YORK CITY—Although cyber security is complex, experts at the second annual ALM cyberSecure conference in Midtown Tuesday said that organizations which haven't addressed it can and should start to tackle the issue by taking some basic steps.

“Companies like Target and Home Depot are not doing the basic things to protect themselves, stated Doug Ferguson, chief technology officer, Stirling Properties. “Funding the basic measures helps organizations deal with cyber security.”

By way of example, he added, “If you're still dealing with actual desktops at this point, you have an issue. “We made every desktop virtual so every time users logged of, they're refreshing. Virtualization is not that hard to do. The laptops we push out are swapped out every three months, and once they go out, we just assume that they're infected. But virtual desktops are refreshed every night.”

At WeWork—perhaps in keeping with the shared space idea behind the company—employees are taught awareness. “We say, 'You can do a lot with firewalls but sometimes it's the human element where your biggest issue lies,” stated Joe Leggio, CIO. “We do internal campaigns to educate people, and provide data.”

Corporate Office Properties Trust also looks to the wisdom of employees, added Ken Kurz, VP, information Technology/CIO. “We put training programs in place and we've learned that our workforce is a huge asset in identifying threats. Also, we created an incident plan, and companies should test those out.”

Among the employee education conducted, all three speakers noted that they conduct internal “phishing campaigns,” whereby emails are sent from IT to employees inviting them to click on a link that would spell trouble had it been sent by a hacker. Many workers do open the emails and click the links, attested Ferguson.

Kurz also used some outsourced resources to essentially scare employees straight, he shared. “One out-of-the-box thing available to anyone is we had the FBI Cyber Task Force brief our company and they were happy to do it. They have used the presentation many times but it's something that real estate CEOs and CFOs aren't used to seeing. There are resources that our tax dollars go toward that we're entitled to use.”

The panelists also recommended looking to the SANS Institute for the top 20 security controls and the Dept. of Homeland Security “Cyber Resiliency Review,” which is free to download. 

But even more important than having the right tools is approaching cyber security management with the right attitude, noted Leggio. “Don't be afraid and make sure you have investment of your top executives. Impress on them that you don't want to be that next company in the news.”