It’s likely that every company (and household) would benefit from having Andrew Tannenbaum ’97 on their side. Since 2012 he has served as the chief cybersecurity lawyer for IBM, where he works to help defend against hackers hoping to gain to access private electronic information. Prior to IBM, Tannenbaum gained 10 years of experience in senior security positions for the U.S. government, including at the Department of Justice and the National Security Agency. He recently penned the Op-Ed, “To Prevent Cyberattacks, Share the Threat Data,” for The Wall Street Journal. We asked the former Dartmouth history major to give some security tips to companies and individuals.
1) What can companies do to protect their information from those on the “dark web” and elsewhere?
Companies should have a comprehensive strategy for managing cyber risk. Here are some of the basics:
- Put a strong CISO (chief information security officer) in charge. Map your infrastructure; understand who has access and where your most sensitive data resides. Make sure your systems are patched and up to date.
- Have an incident response plan for breaches and practice it. Don't just rely on a firewall and think you can keep all the threats out. Assume the hackers are already in (they probably are) and use data analytics to look for signs of unusual activity.
- Train your employees. One of the most common ways hackers get in is through phishing, which involves tricking people into clicking on links or opening attachments that contain malware. At IBM, we send fake phishing emails to all of our employees as part of regular exercises, and it's a pretty effective way to keep everyone alert. Nobody wants to get an email from the CISO telling them they were duped.
- Hire a good cyber lawyer! Having a strong day-to-day relationship between the CISO and General Counsel functions is really critical for managing cyber risk.
2) How many online passwords do you have? More seriously, is there anything consumers can do to lessen the chance of having their personal information hacked?
- Too many to remember! One company estimated that people have an average of 81 passwords. It's no wonder we all have password fatigue. One day we will kill off the password and use more advanced authentication methods, like biometrics. But until then, our passwords should be strong, changed frequently, and not re-used across multiple accounts. Use common sense by monitoring your bank and credit card statements. Don't click on suspicious links or fall victim to phone scams seeking your personal information. And if you receive a notice that your information has been breached, sign up for the free credit monitoring that is typically offered.
3) Did any of your undergraduate experiences at Dartmouth help prepare you for your current career in cybersecurity?
- Dartmouth is where I first developed my interest in law and public policy. With funding from the Rockefeller Center, I spent my off term interning at the White House. That set me on a path to law school and back to D.C. after 9/11, where I became a national security lawyer. I also wrote my first op-ed for The Dartmouth my senior year, on a Supreme Court decision. The WSJ op-ed was my second, almost 20 years later.