ASHEVILLE, N.C. — Cybercrime costs the world $6 trillion in commerce a year, but companies, including convenience stores, don’t have to be victims, according to Theresa Payton.
The former White House chief information officer and leading cybersecurity expert spoke in August at CSP’s 2022 Outlook Leadership Conference in Asheville, N.C.
If retailers took one piece of advice from her back to their offices, it should be to practice a ransomware attack, Payton said. Ransomware is a type of malicious software, or malware, that prevents someone from accessing computer files, systems or networks and demands the user pay a ransom to regain access, according to the FBI.
Companies should have a staff meeting to define any circumstances where the company might pay in this situation, versus when it wouldn’t pay, Payton said. Also, she advises companies to talk to their legal team and insurance agent to make sure they understand what a path toward not paying looks like. Ask specifically if the insurance company will fund the disruption in service if the company avoids paying the criminal ransom, Payton said.
“I understand why some organizations feel they have to pay. My goal is to make sure you don’t have to pay,” she said.
She also recommends developing a relationship with the local FBI office before a situation happens, and joining InfraGard, a partnership between the FBI and members of the private sector for the protection of critical U.S. infrastructure.
While technology and attacks on technology are always changing, these three guiding principles, provided by Payton, can help businesses face any attack:
- Master human nature. Stay educated about what drives human nature and incorporate that understanding into cybersecurity. Learn from user stories for employees and customers.
- Know the criminals. Create decoys of fake but authentic-looking human profiles and systems that look valuable and leave the decoys vulnerable to cybercriminals. Then, study the criminal elements that attack the decoys and learn from them.
- Beat the criminals at their own game. Leverage the power of Artificial Intelligence (AI) and behavior-based analytics to create behavior-based profiles of employees as well as profiles of criminal activities. Then, use those profiles to create a “digital bodyguard” to protect good, hard-working humans against digital criminal behavior.