Added to that is a lack of fundamental security awareness, even at the IT level, within organizations. He referred to one, unnamed, large company that he said, “had all the best tools, but had them on default configurations, so they got breached.”
Burrell offered a number of recommendations to keep current with risk management. One is to keep current with academic research. “There are thousands of articles,” he said. “It’s worth having one of your people look at the research for finding risk.
Another is to use NICE (National Initiative for Cybersecurity Education) framework for things like improving attack detection in cloud.
Yet another is to use his agency – the FBI – for malware analysis. “We have an auto-analysis and repository system, which can get you a response in two minutes,” he said. “We get trending data that goes on our classified side.
“If you use us, you might not have to hire forensics people, which could cost you $60,000 or more,” he said.
The key, he said, is to try to maintain some control over hardware and software, and then vet the apps used on it. “That’s the way to a more secure environment,” he said.
Sign up for CIO Asia eNewsletters.