What’s Next for Cybersecurity?

A Conversation with John Morea, Global CIO at The Next Practices Group

The rise of the hybrid work environment has given employees more hours in their days and companies more options in the labor market. It has also, however, added to the ever-evolving list of cybersecurity concerns. In honor of Cybersecurity Awareness Month, John Morea, Global Chief Information Officer at The Next Practices Group, spoke with The Bliss Group about what’s changed in the cybersecurity space, what’s to come, and what companies can do right now to protect themselves.

Tell us a little bit about your background. How did you become interested and involved in IT?

I first learned about the importance of cybersecurity when I was working as a programmer for Verizon. I handled a lot of personal information for their system. Cybersecurity has greatly evolved since my years with Verizon, but it’s something I’ve prioritized in every role since.

More recently, I’ve developed HIPPA-compliant apps for the medical industry and worked on music licensing apps, then ran IT for Havas North America and served as Global Managing Director of IT for Real Chemistry. When working with data in a global environment, you have to deal with certain privacy rulings such as General Data Protection Regulation (GDPR). These rules pertain to personal data processed in the EMEA (Europe, Middle East and Africa) regions. When working with data from these regions there are strict handling and processing guidelines. Then there’s Personally Identifiable Information (PII) data, which is getting stronger, and North America as far as privacy data, could be anything from someone’s first name to the last four digits of their phone number. It’s getting really granular and it’s open to interpretation. Data processing and data security are two the main focuses these days that we really have to look at.

What has been the biggest change to cybersecurity in the last 10 years?

The biggest change in the last decade happened in the last two to three years because of the pandemic. So, you have to think about how the whole workplace went from a network-centric kind of standard—everything in the office you plug in within the corporation—to this hybrid environment. Now I have people working in all parts of the world and there are a lot of prying eyes as you start to spread outside your little nest.

There’s a term being used that I started implementing called Zero Trust Policy.  Zero Trust Policy is moving away from that network-centric kind of setup and going to this system that’s able to support scalability and mobility.

Also, this hybrid environment with people working from all over the world is all about Software as a Service (SAAS) security, which is placing the necessary protection on the endpoints, so every computer will have a built-in firewall so we can go into any office or Starbucks and have the same corporate security policies across the board.

Team products like Zoom also had to evolve their encryption. Do you remember all the Zoom bombing people were doing at the beginning? That industry really had to tailor itself for the changed environment.

Now anybody can work anywhere, and it’s cost efficient because I don’t have to go crazy setting up a new office space with all these things. I can treat it as someone working from their house or someone working from the Starbucks.

How do you think the space will change or evolve in the next 10 years?

There are a lot of bad people out there trying to knock on any door that they can. My last company had an attempted breach over 36,000 times a day. People build systems that hackers automatically try to break into, since they’ll just keep going, “Alright. Let me try this. Let me try this.” There are attacks happening all the time.

There’s also the rise of smishing, which is SMS phishing done on cell phones. An example is when someone pretending to be the CEO of a company texts, “Could you set up those gift cards?” So those are all done by chance. And I hate to say it but, security-wise, I can control everything except human reaction. Things like smishing are making it so that a company’s employees are its weakest link. The healthcare and banking industries are at an increased risk of attack. If we teach people just how to react, how to smell something’s not right, that’s a big part of it.

Endpoint protection model is already replacing traditional antivirus software and we are going to see more companies shift cybersecurity tactics in this direction and deploy things like geo-blocking to combat increasingly sophisticated attacks from regions that are considered rogue.

What do you wish more individuals and companies knew about cybersecurity and the associated threats?

Attacks are getting more advanced, yes, but so are cybersecurity tools. Companies can and should engage in penetration testing or blue-team and red-team testing. For security testing, the blue team is the company experiencing a cybersecurity breach. The red team is an external hired vendor or internal security team that is looking for ways to evade detection and get access to what lies behind a company’s IT defense wall. So, the red team determines where the faults are, and the blue team does the mitigation to close those gaps. There’s a whole learning process and all these tools are getting more advanced as people are getting more advanced with the ways they try to get in or fool us.

What is the easiest first step for organizations to take in preventing a cybersecurity crisis?

Human training. As corny as they are, have everybody watch a five-minute cartoon movie on viruses or people trying to hack into computers or coerce them into giving information over. Get to the point where employees are writing you to ask, “Do you think this is real?” I want that reaction before they click. They asked, you know, and that’s huge.

Also, encourage clients to change their passwords every three months, create passwords consisting of phrases and opt for multi-factor authentication, whenever possible.

How can internal communications mitigate cybersecurity-related issues?

I’ve seen how impactful emails cautioning employees and clients about clicking a certain link or recognizing a cyber scam can be. Companies need to encourage employees to report anything that doesn’t look right to IT. A five-minute conversation can save millions of dollars.

What advice would you give to someone who’s interested in pursuing an IT or cybersecurity career?

Cybersecurity is one of the largest growing, best paying and most needed parts of IT these days. IT and cybersecurity are always evolving, so learn all you can about emerging threats and opportunities.

To learn more about cybersecurity and thwarting bad actors, read “Protecting Your Company from Becoming Part of the Disinformation Ecosystem” next.