During a panel, moderator James Taylor, CEO of the Florida Technology Council, prefaced the discussion to panelists Jason Bertoch, network security lead for the Florida Digital Service; James Dobra, director of security solutions for HP Inc.; and Andy Olpin, senior solutions engineer for Lookout, Inc., that they would use ChatGPT to identify the top 10 cyber risks and share what they think.
According to ChatGPT, these risks are:
- Malware: malicious software used to disrupt, damage or gain unauthorized access to a computer system
- Phishing: the practice of sending fraudulent emails from a reputable source to convince individuals to reveal personal information, such as passwords
- Ransomware: malicious software designed to block users or organizations from accessing files on their computer in return for some form of payment
- Distributed denial of service (DDoS) attacks: The flooding of a server with traffic to prevent users from using a certain website or online services
- Insider threats: a cybersecurity risk or threat created by an authorized user to harm an organization’s network
- Zero-day vulnerabilities: an undiscovered system flaw with no defense or patch to protect against cyber threats
- Advanced Persistent Threats (APTs): a cyber attack that goes undetected for an extended period, allowing hackers to access sensitive information
- Internet of Things (IoT) vulnerabilities: from a cybersecurity perspective, IoT devices are vulnerable to attacks due to weak security measures
- Supply chain attacks: a specific type of cyber attack that targets less secure software or hardware within an organization’s supply chain
- Social engineering: manipulating an individual to access sensitive information or a computer system
“The No. 1 biggest threat is phishing,” Olpin said. “We’ve seen a lot of attackers start to pivot towards mobile devices because if I send you a phishing link to corporate email, I gotta get through 100 different security products, and even if I get through all the security products, everything’s logged and recorded. If I send you a text message, I typically have to go through zero security products, and whether you click on it or not, nobody’s got logs that it happened. It gives you a way to really target individuals.”
Another panelist echoed a similar message, saying that organizations aren’t directly hit with ransomware but are often sent a suspicious email first.
“Right out of the gate, you aren’t hit with ransomware. You’re hit with an email that has an attachment,” Dobra said. “There’s multiple stages to an attack. People can’t steal from inside your house until they’ve gotten inside.”
As for state government, Bertoch highlighted a different concern altogether.
“One of the challenges that we have is not having application mapping,” Bertoch said. “Maybe you have a server that’s targeted for doing an investigation; well, what is on that server? What data does that server have access to? What other servers does it talk to? In many cases, figuring that out on the fly introduces a lot of extra time, and the investigation really slows us down, so that’s definitely something that I’m pushing for.”
Based on the panelists’ answers, Taylor summed up the discussion by saying, “cybersecurity threats depend on who you are and what that threat is to you, and that can be with a state agency, city or county. Those threats can be slightly different, and the size of your organization can play a role.”
As for the state’s cyber landscape, Lieutenant Governor Jeanette Nuñez highlighted a few of the state’s most recent security efforts during a special session at the event.
“When we came in 2018 and got elected, we started to look around and see that we needed to really invest in the infrastructure and the people we have working in cybersecurity,” Nuñez said. As a result, “we were able to develop the task force, which was the precursor to the advisory council, and we were able to look at the state’s cybersecurity posture, governance and overall operation.”
For context, the state’s cybersecurity task force was created in 2019 during the regular legislative session via House Bill 5301. Once established, task force members focused on improving the state’s security program and prioritizing risks posed by identified threats.
However, in 2020, the task force disbanded, and the Florida Cybersecurity Advisory Council took its place in 2021. Since then, the council has focused on assisting state agencies in protecting their IT resources from cyber threats and incidents.
Another topic Nuñez discussed was the state’s Cybersecurity Security Operations Center (CSOC), which oversees the digital assets of partnering entities and identifies and mitigates threats in real time to ensure uninterrupted service.
“For the launch of the CSOC, we had zero — and I will repeat that number again — zero agencies that had ever shared cybersecurity data in real time; they were operating exclusively in silos,” Nuñez said. “Today, I’m proud to announce that we have more than 35 of our state entities that are working in an integrated fashion. They are plugged into the CSOC, and they are sharing data in real time, and that really gives us confidence in knowing that what we’re doing throughout the state is focused on resilience and making sure that we are on the front lines of innovation and collaboration.”
The CSOC has also added more than 200 local partners to its roster in the last several months, expanding data-sharing capabilities, Nuñez added.
Lastly, the lieutenant governor highlighted the success of the state’s $30 million competitive cybersecurity grant program.
“In my opinion, this has been one of our boldest initiatives to date,” Nuñez said. “It was designed to allow local governments to improve their own cyber capabilities regardless of technical expertise.”
According to Nuñez, a number of municipalities now have new capabilities available to them, including asset discovery inventory, endpoint detection and response, security operation platforms and security systems, thanks to the grant program.
But what about the people on the ground responsible for overseeing security operations?
To gain a bit more perspective on what cybersecurity leaders are seeing on a daily basis, the summit hosted a CISO roundtable Q&A panel featuring Bill Hunkapiller, CISO of Florida State University; Steven Payne, IT security coordinator for Escambia County; Florida CISO Jeremy Rodgers; and New Hampshire CISO Ken Weeks.
Key takeaways included:
- It’s not “if” a cyber incident will happen, but “when.” For example, Hunkapiller said, “At the end of the day, something’s going to happen at some point in time, right? You’re not going to be free from it. But it’s being in that position that we can recover.”
- Know what tools are at your disposal. For example, Payne said, “One easy one is making sure you stay updated on all the tooling you have. You could have best-of-breed tooling, but if you haven’t visited it lately, you might not have turned on options that you should have to see what you need to see or may have some things on that shouldn’t be.”
- Trusting and empowering your workforce is key. For example, Rodgers said, “At the end of the day, I think it’s about trusting your people, empowering your workforce, trusting your partners and putting them in a place to succeed. At the end of the day, there’s only so much I can do. It’s our team who really needs to be able to deliver what we need to, so I think empowering the team and giving them the tools they need to succeed is probably the best we could do.”
- Know your vulnerabilities. For example, Weeks said, “Do we have a lot of vulnerabilities that are inherently built in? For us, they’re built into legacy procurements. We’re trying to identify that and get those things fixed that have real effects on real humans. I don’t know if that keeps us ahead of the curve, but I think we’re at least trying to avoid being drowned by the curve.”