Page 2 of 2
Levay promises to talk at length publicly about his work at Bit9 "farther down the road." Until then, he said he was hiring additional security staff and streamlining some processes to gain control and oversight over operations.
"The security within Bit9 is something that is taken very seriously across the board coming from the executive management level all the way down," Levay said. "We are really maturing how we approach everything and taking a fresh look at how we approach everything."
Levay said his work at the Center for American Progress involved addressing an environment under constant attack. User awareness training was critical because employees in various roles from workers in the national security group or researchers on foreign policy, climate or trade, were likely to be targeted by spearphishing attacks, particularly from state actors, Levay said.
"We were under constant attack and onslaught," Levay said. "Not a week went by where there wasn't another attack that we were monitoring."
In 2009 the Center for American Progress reported that it suffered a data breach following a sophisticated attack on its systems. In a breach notification letter (.PDF) sent to the Maryland Attorney General's office, the organization said the names and Social Security numbers of current and former employees were exposed. The attackers impacted both the Center for American Progress and its Action Fund.
Levay said he was lucky enough to find two or three respected people within the organization who took security seriously and within a year, a strong security culture had been instilled within the organization. If employees had any doubt about the validity of email content, they would send it to the IT staff for analysis.
"If you are lucky enough to get one of those situations that's the kind of thing that can push an awareness program over the line," Levay said. "You have to find champions within the organization."