Daniel Brazier is a Solutions Engineer at WP Engine, a leading managed WordPress hosting platform. In this episode of the Marketing Science Podcast, Daniel talks to us about cybersecurity risks for healthcare and science companies. He also provides valuable tips on how to prevent cybersecurity attacks, both for businesses and for individuals.
Subscribe | Spotify | Stitcher | Apple | iHeartRadio | Mobile |
We were also joined by Will Soutter, who you may know from our Podcast about Podcasts episode and who is AZoNetwork’s in-house cybersecurity expert. Below is an adapted transcript from AZoNetwork’s Marketing Science Podcast.
How important is it for companies to take cybersecurity seriously?
Cybersecurity should be a huge priority for companies, particularly for companies in the healthcare and science sectors. It’s also important for organizations to understand that something like building websites is not a one-shot project. Because the policies and requirements are constantly changing, cybersecurity needs to be an ongoing piece to stay on top of. Things like patching, updating and keeping servers secure should all be done regularly.
How does GDPR tie in with your work?
A large part of our work is ensuring best practice around security and the way that GDPR ties into that is complicated, particularly because WP Engine is a global company, with headquarters in the US.
It often isn’t just a conversation about GDPR and includes things like ISO 27001, safe harbor agreements and privacy shield. For GDPR specifically, many people left it to the last minute, which is a common theme with a lot of cybersecurity processes.
Read: GDPR Questions to Ask Your Media Partners
By now, most have figured out how to stay aligned with GDPR, but there are still many misconceptions. In our work, it’s more of an ongoing conversation about what smaller parts we can move forward to make sure we are GDPR compliant and stay there.
What are the different kinds of cybersecurity threats that we should be aware of?
There are the obvious ones that make headlines, like the attack this year that broke records for the largest DDOS attack. These big attacks might sound scary or like something out of a Bond movie, but there are also smaller attacks that don’t make the headlines. Everything from the big DDOS attacks down to weak passwords and social engineering are things that people should be aware of.
Security professionals tend to talk about networks and software in terms of layers or stacks. Generally, people should be aware that any one of those layers or stacks is going to have some kind of vulnerability that can be exploited at some point or another.
What is a DDOS or distributed denial-of-service attack?
DDOS attacks are often the ones that make the news. A denial-of-service is an attack where an application is targeted so that it can no longer provide the service to its end users that it is designed to.
A ‘distributed’ denial-of-service attack is a wider attack that may impact larger numbers of people. DDOS attacks are often connected with talks around viruses, botnets and involve large numbers of computers that are all making requests to one application simultaneously and repeatedly in order to stop an application from doing what it is designed for.
What is a brute-force attack and what can people and businesses do to prevent this type of cyber attack?
Brute force is basically the practice of running through common passwords or passwords that have been previously leaked from databases. There’s an art form in knowing that a certain percentage of people use 12345 or QWERTY for their passwords, or that people tend to reuse their passwords across many sites and create passwords that are tied in with the application that they are using.
My tips for both businesses and individuals are to have a secure password policy, make frequent password changes and use things like password safes or managers. You also want to check to see if any of your passwords have been leaked on a regular basis and avoid using any obvious passwords like birthdays.
How common are database leaks and how concerned should we be about them?
Databases are probably leaked a lot more than we want to acknowledge. Coming full circle and tying that into GDPR, the important thing is not storing data that is able to identify a person or tell you too much about their life in the same database.
The cybersecurity trend that we're seeing now is people breaching multiple databases across multiple companies. They can then piece information together from various leaks in order to build a bigger picture of someone's life, their habits and where they might be vulnerable.
There's a great service that I use a lot called Have I Been Pwned, which is a freely accessible site that is updated whenever there is a big database leak. You can type your email address into the site, and it will tell you if you appear on any of those database leaks.
Within a business, who should be responsible for cybersecurity? How important is having buy-in from senior management?
Within a company, it's important that everyone has some understanding of cybersecurity and what the risks are. It's not that everyone has to be an expert, but people need to understand that most leaks happen because an individual within a company has given away company passwords.
There was a recent hack on Twitter, where some high profile accounts tweeted out, "Send one cent in Bitcoin to this address, and I'll send you back $10,000 in Bitcoin." The target there was a couple of employees at Twitter who had access to those accounts.
Everyone needs to be aware of the risk and take some responsibility for cybersecurity, but if that message comes from the top of the business, then it will carry even more weight. When cybersecurity is prioritized by senior leadership, it’s also going to impact other processes and how systems are built. That's definitely something business leaders should take into consideration.
Can you give a simple explanation of how cybersecurity works in a way that a layperson could easily understand?
The hotel room analogy is probably one of the more commonly used analogies at WP Engine for explaining cybersecurity.
Imagine that you are walking through a hotel lobby. Your first stop is the receptionist, who will start taking your details. That might equate to something like an SSL certificate or a firewall checking that the guest isn’t suspicious.
As you progress up towards your hotel room, there are other measures. Your keycard might only take you to certain floors or open only one door. There's a peephole that could be equivalent to an antivirus or malware checking on security. All of these measures ultimately add up to form the overall security landscape of that ‘hotel’ experience.
Then there are the outward things that we can do. If someone knocks on the hotel door, do we just open it and invite them in? Do we look through the peephole and check on who it is? Do we think about whether we’re room service before opening the door? All of that ties into the analogy.
What steps can employees take on a personal level to mitigate cybersecurity risks?
We receive a lot of help from Gmail and other email clients with messages like, ‘Are you sure you want to respond to this email?’. Paying attention to those tools or making sure to check links yourself is a good tip for staying safe.
That pause for thought is important, especially as everyone's busier under more pressure. If you get an email from the finance team asking you to transfer money, it’s important to take that moment to stop and think about whether this is an expected message or not.
Outside of that, employees need to be responsible for creating passwords that are complex enough so that they can’t be guessed, but memorable enough so that they don’t need to write them down on a Post-it note.
For companies, it’s about finding that balance between the process and the security and making the process something that doesn't discourage people and make it more likely that they do questionable things.
Can you talk about cybersecurity risks in the science, engineering and healthcare industries?
In the healthcare industry, cybersecurity is incredibly important. There are higher expectations for privacy in those fields and a large volume of personal data that is stored. We often think about personal data as names or addresses, but when you start making that more personal like talking about someone’s health history or tests they have undergone, that just compounds the concerns even more.
In the US, we work with a lot of healthcare and life science companies that deal with HIPAA compliance, which is a set of standards that regulate the storage of medical information in the healthcare sector. It's heavily regulated and there are a lot of expectations and guidelines for these healthcare and science organizations to manage in order to make sure their data is secure.
I think the biggest risk involved in healthcare or in any life science companies that are involved in trials, is that there is a huge amount of personally identifiable and sensitive information at risk.
For many of our clients that are more in the science and engineering or manufacturing industries, they won’t be as big a target for those larger attacks, but risks can still come in the form of an email phishing scam or a fake email from the CEO asking for information. They may not be as headline-grabbing, but for smaller businesses, they can still be just as devastating.
What are some of the current cybersecurity trends that you are seeing?
There are some interesting trends, particularly through this year as the landscape has changed with people's internet use. While the number of attacks has increased, the level of professionalism of these attacks has dropped significantly.
We're seeing university students stuck at home, and out of boredom, they're choosing to do some hacking. Something that can be good-spirited, or fairly innocent, can quickly turn into denial of service or accidentally leaking data, which, as we talked about earlier, can be particularly damaging for businesses in the healthcare industry.
We still have headlines around DDOS attacks or about big banking leaks, but at the lower level, there are huge numbers of attacks occurring on a daily basis. They might have less of an impact, but can still be responsible for taking smaller businesses offline or even putting them out of business.
How concerned should people be about the information they share on social media and other platforms?
There is definitely an increase in the willingness that people have to share personal information. There was a big leak at MyFitnessPal, and at the time, the cavalier attitude in me said, "Great, someone knows what I had for breakfast". But when you think about it at the wider level, you realize that they also know that I use a fitness app, I use an iPhone, and maybe they can guess that I use PayPay.
Then, they might spam you with emails from PayPal for a few months, and see if you slip up and send some money. You don’t need a lot of data to be able to start targeting someone in a way that seems very personal, even if it’s on the scale of millions of people.
Even if you trust the security at companies like Facebook, Apple or Google, you don’t always know what is going on behind the scenes or if you can trust every employee to be aware of the risks.
What are the typical weaknesses within a website that companies should be aware of?
Something like 51 - 52% of the vulnerabilities that we see across WordPress are plugin-based. One of the great things about WordPress is that you can quickly interface with external tools by installing prepackaged code that's going to extend and add functionality in some way.
However, the nature of that is that someone else wrote the code for that plugin. People must take due diligence around the plugins that they choose and think about factors like frequency of updates, support and the reliability of the person who wrote the code.
Ensuring things like plugins are kept up-to-date is one of the biggest tips I can give in terms of avoiding vulnerabilities.
How would you find issues or vulnerabilities before they become a problem?
At WP Engine, we try to be as proactive as we can be. We subscribe to various databases that announce vulnerabilities that are found in plugins. There are a lot of bounty programs that well-intentioned hackers take part in to help companies uncover risks. When these vulnerabilities are exposed, we can patch things or let customers know about the risks.
Beyond that, we keep an eye on resource usage. If a server generally uses a certain level of resources and then that suddenly increases, it could be something malicious. Mining cryptocurrency is a common thing that we see sneaking through backdoors and plugins that can cause these kinds of usage changes.
How do you see the future of cybersecurity and hosting? Where do you see cybersecurity in five years' time?
Most things are ultimately influenced by people and how they make money. From a security point of view, that tends to be how we safeguard the money we are making, as opposed to how we actually sell our products. A lot of the trends right now, particularly around search engine optimization and digital marketing are about speed and user experience.
"User experience is king."
User experience often transcends all of the other parts of the conversation, whether it's marketing or security. What happens to your data when you leave the platform and GDPR all come under the umbrella of user experience for me. It's increasingly about making it effortless for users and doing the right thing by people in terms of their data and their security.
Ask about digital marketing