Chris Sienko: Hello, and welcome to today’s episode of the CyberSpeak with Infosec Institute podcast. This is an audio rebroadcast of a recent webinar we hosted entitled The Business Impact of Cyber Risk. KPMG has reported that 68% of CEOs believe that a cyber attack is a matter of when, not if. Those are bad odds if you’re hoping to bet on the path of least resistance in your security strategy. Is your organization truly prepared to mitigate cyber risks in the new year? If not, you won’t want to miss this episode.
Our guest speakers today are technology risk consultant David Kruse, CIPP-certified attorney Justin Webb, and crisis response and public relations professional Jeff McCollum of Infosec Institute. Today’s experts will help you to discuss cybersecurity at the board level, make sure leadership really understands the risks, assess and mitigate cyber risk at your organization, and reduce the business impact of cyber incidents through planning and response.
Just as a reminder, if you’d like to also watch the webinar as it unfolds, including presentation slides, you can find this podcast on our YouTube page by searching Infosec Institute and visiting our channel. Without further ado, here, along with moderator Megan Sawle, are David Kruse, Justin Webb, and Jeff McCollum.
Megan Sawle: David Kruse is the leader of Hausmann-Johnson Insurance’s cyber practice. His current area of expertise lies in insuring technology risk in legacy industries and data-rich companies. Before moving into his current consulting role, David spent time in a variety of service and account management positions, as well as a number of years in the banking industry. Additionally, David administers a cyber insurance program for a national purchasing consortium consisting of over 50,000 public entities and non-profits. David holds a Bachelor of Arts degree from Marquette University.
Jeff McCollum is the manager of media and public relations for InfoSec Institute. After a long career in the television news business, he joined State Farm Insurance, where he worked in external communications and developed the company’s first dedicated issues management and crisis communications team. His work included developing crisis response plans for data breaches and other cyber threats. In 2015, Jeff joined SC Johnson as a global public affairs manager, working to raise awareness of the company’s corporate and product brands, including global campaigns promoting SC Johnson’s efforts in sustainability, ingredient disclosure, philanthropy and the environment.
Finally, Justin Webb is co-chair of Godfrey Kahn SC’s data privacy and cybersecurity practice group, and a member of the firm’s technology and digital business practice group. His practice focuses on the implementation, use, and life cycle of both data and technology, as well as the nuances of cybersecurity and privacy in the digital age. His work includes advising clients on compliance with domestic and international regulatory skeins governing privacy, negotiating technology contracts, cybersecurity and privacy, due diligence in mergers and acquisitions, and proactive and reactive data-breach response. Justin holds the CIPP US certification with the International Association of Privacy Professionals. And prior to practicing law, served as the information security officer for National University.
At this point, I’d like to open up discussion between our guests, David, Jeff and Justin. We’ll get their expert insights on how to assess the business impact of cyber risk, and importantly, how you can mitigate their impact through effective planning and response. During this time, I encourage you all to share your questions for the panel, as well.
So Justin, cybersecurity, or lack of it, has been all over the news these past few years. Why should all organizations, regardless of their size, be proactive about cybersecurity defenses?
Justin Webb: Hi. This is Justin. I think companies need to be proactive about cybersecurity defenses because the attacks obviously aren’t stopping. They’re getting more sophisticated. And companies generally have legal compliance obligations related to cybersecurity, so there have been more laws put in place that require companies to have something called reasonable security measures, which is sort of an undefined term, but typically means that you are doing the things that your peers are doing with regard to information security. And so, there are some base standard of information security necessary. And if you don’t do that, you can be sued in litigation, you can be brought before a state attorney general, and an enforcement action of the FPC can go after you. And the regulatory landscape is also getting more complicated. In Europe, they passed GPR, which went into effect on May 25, and requires even more of information security. And so generally, you want to be in compliance with those laws, and you also want to protect the reputation of your company. Having a data breach doesn’t do wonders for your reputation in the industry, and especially with consumers.
Megan: Excellent. Thanks Justin. David, would you like to add anything to that?
David Kruse: Yeah. Absolutely. I think, when I’m having conversations with my clients about this, what I like to do is help to sort of rethink and recreate the question. So the question here for me isn’t why we should be proactive about security, because security is a means to a goal. Security isn’t the end goal. The end goal of security is trust between you and your customers, you and your shareholders, you and your regulators, you and the public at large. The end goal of security is business continuity. The end goal of good security is revenue stabilization.
David: So instead of asking why we should be proactive about security, we should ask ourselves, why does our reputation matter? What impact would a sudden loss on a substantial amount of cash have on a organization? And you can define substantial in whatever terms that means for your business. If you as a company lean heavily on technology, what impact does a sudden loss of that technology have on your day-to-day-operations? And to begin to answer those types of questions, the why of why we should be doing security, and why we should be proactive, becomes very visible because we don’t want to suffer large financial losses. We want our business to continue as it normally does. We don’t want to get into fights with regulators or shareholders. That’s why we should be proactive. And then, the steps you take to be proactive, that all sort of falls into line after that. But the why is all those other reasons.
Megan: Yeah, absolutely. So Jeff, David hinted at a little bit of this earlier with brand trust, but what about your perspective as a PR professional?
Jeff McCollum: Right. On the PR side of the house, the brand awareness and the reputation management is always the first thing that the PR folks consider during a crisis like this. But you really need to consider those operational and financial costs that are going to be big hits to your bottom line. There have always been instances where reputations that have taken some hits have been rebuilt and some companies have recovered quite well, and some don’t. But you need to think about that brand. You need to think about your reputation. But also, those operational and financial costs.
I think in a crisis response you can’t count on public fatigue for cybersecurity breaches. I mean, they’re in the news almost every day. You can’t count on people just ignoring that. You can’t count on the news cycle to bottle up your incident maybe one or two days and then it goes away. You can’t. So having your proactive steps in place, having a crisis-response plan in place is going to do a lot for you, and probably in the long run is going to be much better to your bottom line as you sort of balance the cost of time and cost of training, as opposed to whatever operational hits you’re going to take.
Justin: This is Justin. I just wanted to add one other thing, which is, even for companies that are sort of data lean, and by that I mean maybe not a B2C company that collects a lot of consumer information. Technology is sort of pervasive in almost every industry and every business, whether it’s employees using computers, or having servers in a data center. And so, it might not be that you have the type of breach where there are millions of people’s information that’s exposed. But it can be just as harmful to your organization if you have a ransomware event and you don’t have your backups set up correctly, and your company is taken offline for multiple days.
I’ve been involved in breaches with manufacturers who had a ransomware event occur, and they had to shut down the line and send all of the employees home while they were trying to restore the data, or pay the ransom and get the decryption key. So there’s different flavors of the types of threats that are out there, but they all can be extremely detrimental. And to David’s point, interrupt the revenue stream that’s sort of the life blood of typical businesses.
David: And this is David here. I’m just going to tack onto Justin here. I think you make a really good point. And I think it points to, really, what ultimately is a paradigm shift that needs to happen within your average business owner’s mind. Most individuals and most business owners really believe that they’re not necessarily going to be the target of a hack. They’re not going to be the target of some sort of cybersecurity incident. And they convince themselves of that because, just like you said, Justin, they might not be a B2C business that has 30,000 customer credit card numbers, or something like that. They might be a small engineering firm, or a general contractor, or electrical contractor, or something like that.
So even though they don’t necessarily have the types of information that would make a splashy headline, what they have is information that they value. They value their financial information. They value their purchasing and their ordering systems. They value their human resources information and their scheduling information. And hackers can monetize your desire to access what you have, just as much as they can monetize your credit card number or your social security number. So that type of thinking needs to, I think, change on sort of a market-place wide basis, to recognize that just because I don’t have something like a credit card number or social security number, doesn’t mean I don’t have something that could be monetized against me.
Justin: I think companies all have intellectual property, and one of the major things that attackers like to steal, for various reasons, is IP of companies, whether it’s to monetize it in some other marketplace, or to disclose it. And so, it’s as much about personal information as it is about that company IP, and the other financial information that could be involved. Because if you lose that, you may lose the je ne sais quoi that makes your company valuable. Especially if you ever want to sell it at some point in time to somebody else. If there is a known exposure of intellectual property, that might not be worth anything.
Megan: Definitely. And so, we talk a lot here about how cybersecurity really needs to become part of your overall business strategy. And that can’t happen, right, until we have that top level buy-in. David, any tips for working with leadership that’s, maybe, not necessarily from a security background, but to sort of champion data security and stay abreast of the shifting landscape?
David: Yeah, absolutely. One of the most effective tools that I’ve seen in bringing in management that’s not necessarily in the IT space, because your CIO, your CISO, your director of IT, they understand this to a pretty good degree. But your financial officers, your general counsels, your CEO, other people outside of this, they don’t necessarily grasp the impact that this could have and how things have changed over the past few years.
My first recommendation for something like this is to make sure that you’re running tabletop exercises with all of your upper management, not just siloed in your IT space. And if you’re not familiar with the term, a tabletop is just essentially a dry run of a security incident. You can tabletop other types of incidences too, but in this context, we’ll obviously talk security. So essentially what you want to do is get representatives from multiple areas of the company together. Like, IT, like legal, like operations, or communications, or finance, or human resources, and you want to walk through a situation like a ransomware attack, or a rogue employee stealing your intellectual property, or the discovery of a large sum of money being lost to something like a social engineering scam.
You’re going to conduct this exercise most effectively by bringing in an outside firm to run the simulation, because they’re going to be able to bring in a third-party perspective outside of the types of threat that you might normally see, or the types of threat that maybe your peers are seeing in similar industries or in other industries. So by bringing that outside firm in you’re going to have a lot of good outside perspective there. Additionally, you’re going to be able to test drive your own incident response plan. A good firm that provides these tabletopping services should be taking your incident response plan and really leaning on that during this exercise, so that the steps that you detailed, or maybe you’ll find out haven’t detailed, in your incident response plan get exposed within this sort of safe environment so that they can be addressed prior to an actual incident here.
I would recommend that these tabletops be done on a regular basis, annually at a very bare minimum. If you can do quarterly, better. If you can do monthly, that would be fantastic, but that might be asking a lot in some organizations. And each time you hold one of these tabletops, get different people in the room. You never who’s going to actually be in the building or in the room when one of these events takes place. So you don’t want the same people going through the exercise every time. You want to get different faces in there so that you have as many people exposed to what types of steps you need to take, so that when the incident actually happens, you have as best of a chance of navigating your way through this as possible.
Megan: That’s very great advice. Justin, what about working more at that board level?
Justin: Yeah, I think some of the regulatory requirements, especially, for example, the New York Department of Financial Services Regulation and some others require that you have reporting to the board as to the cybersecurity posture of the company at regular intervals. And the reason for that is that there shouldn’t be a disconnect between the C-level in a company and what the IT department is saying, and the board of a company needs to be intimately involved with the cybersecurity posture of the company. And part of that is that there’s going to be proper allocation of resources to the budget of cybersecurity. And also, that the board can’t hide behind a lack of knowledge if something occurs.
So even in the case of the tabletop exercises that David was just talking about, there are scenarios in which the board may be required to make decisions, and some entities have a separate tabletop exercise that involves the board, just so they can understand what exactly occurs in incident response. For example, let’s say the company goes down and the line shuts down because of a ransomware event. It may be a board decision whether or not to pay the ransom. It might not, depending on the governance of the company. But the board should definitely be aware of those possibilities and help to push the leadership of the company towards strategies and having plans for dealing with that, instead of the, sort of, head-in-the-sand approach to things.
In terms of other things to sort of champion data security and privacy, I think just general education regarding cybersecurity across an organization is helpful. So having self-phishing in organizations to show people what happens when they click on malicious links, and having other educational opportunities. I also think you can do things that are a little outside the box. One of them would be to send the people who may be responsible for cybersecurity but aren’t in the IT department, so for example your COO, or your CFO, to a cybersecurity conference so they better understand the things that the IT department is saying. And you can send them to something that’s not overly technical, but talks about it in the context of risk management.
I also think that when you’re trying to get a company to understand cybersecurity risks, having the IT department proselytize to people about all these risks isn’t extremely helpful. It’s more helpful if they are doing visual demonstrations at board meetings or at C-level meetings. Showing how systems can be broken into. Showing how easy it is to crack passwords, and showing the techniques and methods that attackers use, because I think people respond better when they understand the real scope of the risk. So it’s different to say your password could be cracked from showing somebody how you crack a password, and how trivial it can be, especially with things like rainbow tables and stuff like that. So I think using that kind of visual learning can help bridge the gap from the IT guy just, “Wah, wah, wah,” about security risks all day, which is effectively their job. I should know, I used to do it.
Megan: Absolutely. And Jeff, what about, sort of, those internal relationships you can build to help with these conversations?
Jeff: Right. To build on what David was saying about the tabletops and those breach simulations, I go back to very semi-fond memories of 2013 and the Target breach, which I think, probably for a lot of us who’ve been doing this for a while, that really was a crucial moment for a very big insurance company that I was working with at the time. And that inspired really a wide, very robust plan that they wanted to have put in place.
And we very quickly sort of built up a team of everyone that you would expect. Security was there, of course. IT was at the table. Legal was at the table, and the public relations group was also at the table, charged with coming up with a plan that, as much as possible, could be pre-built in case there was a security breach of a sizeable nature. We used to always call it a Target-sized breach. I guess as we look nowadays, the Target-sized breach isn’t really that big in comparison to a lot of the ones that have been occurring lately. But those pre-built teams and pre-built scenarios that were all exercised with tabletops and simulations, and we did them internally ourselves, and we also brought in some vendors to help us out with those, too.
But any number of, sort of, communication devices can be built ahead of time, whether it is an internal communications email-type campaign. You could have your media plans and your media key messages sort of sketched out in advance. You can have all of your distribution channels worked out ahead of time. Your NGOs, your regulators, everybody that needs to know, you can have all of these lists sort of pre-built and pre-populated. Not that I want to say that it’s as simple as fill in the blank, but you can have those things where the decision rights are determined, everybody knows their responsibility should a breach hit.
You could have these things sort of worked out ahead of time, so on the day that a breach does occur, you’re not scrambling around trying to figure out what’s what, and what you’re going to say, and who gets to decide. Because inevitably… and we’ll talk a little bit more about this later… inevitably time is not on your side from the reputation and the brand awareness viewpoint. Some sort of speed at some level is going to be required if you’re going to maintain your reputation management for what it is.
Megan: Absolutely. And before we move on to the next question, we just had one of our guests ask a really pertinent question, so we’ll just tackle that right now. So we have someone who’s actually looking for advice on getting some top level buy-in at a company that’s never experienced an incident. Do any of our panelists want to speak with that? So someone who maybe hasn’t seen that crisis unfold first hand, how someone can get support, knowing that the top-level team doesn’t have experience in this situation?
Justin: Yeah, this is Justin. I worked at an organization that did not have a security incident, and it can be extremely hard to convince… So the thinking is, “Well, we haven’t had a security incident, so that means we’re good to go.” And that’s really not what it means. It just means that you’ve been lucky enough for a period of time to not have one.
And my typical recommendation is that you want to be presenting similar breaches to the type of organization that you are to leadership to show that you’re in contact with these other organizations. Sometimes you’re part of an ISAC, you may be involved with them and you have information about breaches that have occurred at them, to show the impact that it has on similar organizations. The other thing, is that, I think, a lot of those previous recommendations that I made about sort of visual learning and trying to get the board involved in tabletop exercises might help to inculcate them with the, for lack of a better term, fear about an actual security breach occurring. The joke for information security officers is always, “It’s the guy that has the breach that gets the money, if he doesn’t get fired.”
And so, unfortunately, there aren’t a lot of good strategies. But you have to try things outside of the box. And if the things aren’t working the way you’re doing them right now, then try other things that might help sort of raise awareness. I think part of it, too, is bringing in insurance coverage issues, and showing sort of where the gaps are, especially as it relates to social engineering attacks. A lot of insurance companies have gotten smart to some extent to the fact that a lot of attacks are social engineering related, and so they typically have sub-limits for social engineering type events. So where your regular insurance coverage for a breach would be, like, a million dollars, if it’s something involving social engineering it might only be $250,000. And so, exposing some of those gaps, too, might help to say, “Look, we really do have exposure here in the context of phishing or other types of events that might involve social engineering,” to try and bring some awareness.
David: This is David. To piggyback on the insurance discussion, I think you’re absolutely right that it’s appropriate to bring in an insurance broker, an insurance company, that can offer some perspective based on similar types and size businesses here. Where I’ve had the most success in working with either directors of IT or COOs or CFOs related to whether or not they make the investment in cybersecurity insurance or upgraded security tools that their IT staff will actually use, has been to actually, the phrase goes, “Don’t tell somebody when you can actually show them.” So I’ll work with the carriers that I represent, and I’ll put together a claims example that the losses that these companies have actually seen. In the event of this ransomware, that they had to pay $80,000 for this, and they had to pay $125,000 for that. And you actually break down these costs, and you sort of lay out a road map for, if this actually happens, this is a good approximation of the types of dollars that we’re going to have to spend out-of-pocket in order to get back to the position we were in, prior to whatever incident just happened.
So for people outside the IT world, that’s really their first language, is in dollars and cents, so you need to speak their language in that case. Whether it’s dollars and cents or whether it’s time, as well. How much employee time is going to be lost if all of a sudden we can’t use our network computers because our network is blocked, they put some ransomware? So I think instead of saying that we need this and that tool because we need to do this and that IT function, we need to speak their language and say, “We need such and such tool because that’s going to prevent this dollar loss or this time loss in terms of our employees.”
Jeff: David and Justin, this is Jeff. Do you find that the latest headlines of the day, I mean, are those helpful when going to the CEO or going to the CFO for more funding for a program? You’re timing the same time that there’s another major breach in the world somewhere, does that help at all? Or are the CEO’s sort of all concerned about what’s going on in their back yard and suffering from the, “It’s not going to happen to me,” syndrome?
Justin: I think it helps to time those things. The concern is always that, unfortunately, these things happen so often that individuals become sort of immune to it. And there’s a thinking that, “We must be doing something right if everybody else is having breaches and we’re not.” The other part, I think, is that you might not be having breaches, but you’re certainly probably having near misses. And so, a lot of times presenting metrics regarding the number of attacks to, like, IT scans, attempted log-ins, so like, unsuccessful but attempted security incidents can also give some of the scare factor, I think.
So if your information security team is especially good and you’ve thwarted attacks, part of the description is, “Look. We’re getting attacked this many times each day, or each week, and our defenses are holding. But if people get smarter and they implement new things, or there’s some zero-day of vulnerability and we don’t have secondary mitigating controls to try and help prevent against that,” I mean, some zero-days you’re just screwed. But trying to implement layered security so you can try and protect against those, that’s another way to try and get the message across that, yeah, you haven’t had a security event, but it’s just because you haven’t had a guy good enough to get into your systems, and there’s plenty of them out there.
Megan: Can I kick this over to David, because I think this is going to segue well into your industry experience, coming from the insurance industry. But a lot of this, right, comes down to, sort of, assessing your level of cyber risk. And David, I’d be curious if you could speak to, is this something that can be done internally if you don’t have a dedicated security department? What does that look like? Can you contract it out? Interested to hear your perspectives on that.
David: Yeah. Absolutely. I think… pardon me… I think there’s a couple different ways you can do this. And actually, I’m attentive for Justin’s answer because I know he’s got some good stuff here, too. But a couple of approaches that I take with my clients, and I primarily work, like I said, with IT folks, but I work a lot with COOs and CFOs on those executive functions here. When it comes to getting just a very, very, very basic understanding of sort of what your cyber risk posture looks like, one of the most basic ways to do that is to actually look at a cyber insurance application, complete that, and look at some of the boxes you haven’t checked. If you look at an insurance application, the questions that show up on an application are there because the insurance company has either paid claims related to those items in the past, or they know of their brother and sister insurance companies who have paid claims based on those items. So they want to keep an eye out for claims that might be coming down the pike towards them, and try and avoid them, or help their clients avoid them whenever possible here.
So when you look at the things on that application, they’re talking about, are you encrypting sensitive data? Are you encrypting it at rest and at transit? How do you patch your software programs? How often? Talk to me about a patch management procedure. Do you have an incident response plan in place? How often is it tested? Those types of things will really help you assess, okay, where are we at from just a very basic level here? I’ll note again that this is a far cry from a holistic cybersecurity assessment here. But again, for a company that maybe is just starting out, it’s a good place to start. Emphasis on the start. This is not the end, this is the beginning.
A somewhat more robust approach would be to familiarize yourself with the Center for Internet Security’s top 20 controls methodologies. And move through that on a step-by-step basis. If you’re not familiar with that organization, CIS, the Center for Internet Security’s a non-profit organization, and they receive input regarding security matters from IT experts and firms like retail, manufacturing, healthcare, education, government, defense, and more organizations like that. With that data, they in turn publish materials related to threat intelligence, they publish best practices, and they help with security tool assessments. Those 20 controls are a set of actions that organizations can take to cut through sort of this complex fog of more where it’s related to security products and services, and move an organization towards a more secure posture.
In addition to actively improving the security posture, it also helps you develop a documentable set of steps that your company is taking to actually show a regulator or show an attorney general the steps you’ve taken to move yourself towards a more secure posture. And that really, I think Justin can speak to a little bit, how regulators look at a company who, sort of the thought process that they have when they look at a company that is really trying to be a good security citizen, versus a company that’s much more laissez faire about it. They’re going to react differently in terms of potential fines that might come down upon that company, and using this 20-step methodology approach, it helps you show, “This is where we are, this is where our goal is, and here are the steps that we are going to take to move to that more secure place.”
Justin: Yeah, this is Justin. I talked about regulations and this general notion of reasonable security measures, and I think that all fits in the context of sort of understanding what the cyber risk is to the company, and being able to put in place measures to address that risk. And that can be insurance, that can be security measures of the company, whether they’re technical, administrative or physical. But I think in terms of sort of assessing cyber risk, if it’s a small company and you don’t have a dedicated employee or employees for IT security, then you absolutely should be considering bringing in third-party vendors.
There are companies that will be an outsourced CISO for the company, a chief information security officer. They can do risk assessments. A lot of companies have quasi audit firms come in and do a risk assessment of the company. And what a risk assessment really is, is all right, this is the type of business the company is in. This is the type of information that they have. This is their infrastructure and environment. Let’s look at the potential risks to the company. And for all companies, there are going to be a lot of similar risks, like phishing, people hacking into their servers.
But there are unique risks for different types of companies. So a financial institution is going to have fraudulent wire transfers, breaking into bank accounts and committing fraud. Those are different risks than a manufacturing company who may have less because they don’t have that kind of sensitive information. But there’re going to be parallels between them. And really what you’re doing is, you’re looking at how big of a risk it is, what controls you have in place to mitigate that risk, and the resultant sort of level of risk that’s left there, and whether or not that’s an acceptable level of risk for the company, or whether it’s something that needs to be addressed. Typically, you would address the highest level risks in sort of order of precedence. So you can have an outside company do that.
You can do more technical things like vulnerability analysis and penetration testing. And getting back to the regulators, what they’re looking for in terms of assessing the cyber risk is that you’ve thought about these things. That you involved an outside third party in assessing the risk of the company. So it’s one thing for your IT guy to say, “Yeah, we are covered. All our security is good.” It’s a different thing to have an outside security expert say, “Yeah, we’ve reviewed them and actually they’re pretty close to the CIS top 20.” Or “They adhere pretty close to NIST.” And that can be really important for an IT person, also. So if you’re pushing for outside review of your cybersecurity program, you may get the results that help you get the money. So if you have an outside party come in and say, “We’ve looked at the risks, and you guys are doing a mediocre job at information security. Part of that is because you just don’t have enough people assigned to it, and part of it is that you haven’t had enough money allocated to it.” That’s another way to get the budgetary money.
Some IT people are resistant to that idea, because it’s kind of having somebody to look over your shoulder and grade your work. But if you can get around that and look at it as a benefit to your overall job, I think it can both help you on the regulatory front, to show that you are asking for outside verification of your security controls. And to help with sort of that budgetary, getting buy-in from people that maybe everything isn’t so great with what you’re doing, it’s just that you’ve been lucky.
Megan: Yeah, that makes a lot of sense. So do you guys have any advice for people trying to decide, like, what that level of acceptable risk actually is? How do you help people navigate that topic?
David: This is David here. I think that you have to begin with really accepting that every organization, regardless of size, regardless of the amount of security budget you have or the industry you’re in, every organization is going to have some level of cyber risk, even if you don’t want to have. As long as we’re connected to the internet and we have human beings monitoring our systems, and even when we don’t, cyber risk is still going to be present in some way, shape, or form.
And it’s okay for companies to recognize that they have risk in certain areas, so long as A, they really have a firm grasp on the risk that they’re retaining, and they understand the impact to the organization if that risk were to manifest itself and turn itself into a loss. And B, not leave unaddressed a risk that could really be reasonably addressed. It’s one thing to say, “We don’t necessarily have the staff or the budget to implement this grand security overhaul.” But you know what? You can do basic patch management. That’s something that every organization can and should be doing. So that’s one where it’s generally not acceptable to leave that back door open. That’s something that you should be doing on a regular basis.
One example of an acceptable risk would be… I heard the chief information security officer of a hospital system in Michigan speak at a conference a couple of years back. And the situation that they were presented with was, they ultimately chose not to upgrade an MRI system, and the software running it, to a newer version. And the reason that they chose not to was because the physicians that were running the MRI scans said that the older version of the software and the older version of the imaging system produced a higher quality image that was more useful in a diagnosis. So in this instance, your security certainly is a priority for that organization, but security’s never going to take precedence over a patient’s outcome in a situation like that. So in that instance, that’s a risk that that hospital is knowingly accepting, but then is going to be taking steps and precautions to make sure they are mitigating the effects of that risk as much as possible.
Megan: That’s a really a good story to share. I think it’s always a balance of things, right?
Megan: And so, we talked a lot about the things that can go wrong with cybersecurity, ways to plan around those incidents and things that are unexpected. But what about the positive side of this? What positive impacts can be made when adopting good cyber practices? Like, can this be a differentiator for someone? David, do you want to take this one?
David: Yeah, sure thing. From the immediate viewpoint from my position in the insurance brokerage world here, if you’ve got better cybersecurity practices, frankly, you’re going to have more favorable insurance coverage in terms of coverage terms and offerings in pricing. The cyber insurance market as a market is still very much maturing. It’s really only been around for 10, 15 years, as compared to your property and liability insurance, that’s been around for hundreds of years. But as that market matures, carriers are willing to offer stronger coverage if you can demonstrate that you’ve got better security practices.
From a business operations standpoint, if you look at studies like the Ponemon Institute’s cost of the data breach study that they published in conjunction with IBM, businesses that have better security practices on average take less time to identify that an incident has occurred, and will take less time to contain that incident. And where that really affects the business is that fewer customers are impacted, the business is interrupted for a shorter period of time, and the total cost of the incident is going to drop, as well.
A decent comparison in this case might be with something like a flu vaccine, actually. If you get a flu vaccine, it could very well prevent you getting the flu that season. And if you’ve got good security practices, you could very well prevent a major security incident. But even if you have a flu vaccine, you could still get the flu, which is kind of an odd thing, but it’s true. But if you have that vaccine, that will ensure that the virus doesn’t do as much damage as it could. And the same thing with security here. If you’ve got good security, you might still have a security incident or a breach of some type, but it will impact you less and you’ll know how to remedy the situation quicker, and you won’t be caught flat-footed than if you had really poor security practices in place.
Justin: This is Justin. I think there’s other areas where sort of a positive impact can be seen when you’ve got good cyber practices. The value to customers… we’ve talked about this before, that having good cybersecurity practices and talking about those in a smart way with customers can actually help to define your brand. There are companies who have not had major breaches who are synonymous with sort of having good security or having good privacy practices. I can think of one. Facebook, who a lot of people now don’t necessarily believe has good security or good privacy because of some of the events that occurred with it. But people have a different opinion about Amazon, generally, because there hasn’t been a similar type event.
But I would agree with sort of everything that David said about having good cybersecurity practices has a great effect on the insurance that you potentially can get, if there’s underwriting involved. And as a more general matter, it probably helps the mental health of people working in the information security department that they are doing everything they possibly can to secure the company. As opposed to worrying every night about potential breaches, and “Well, if we had this intrusion detection system or we had X, Y, or Z, then I wouldn’t be up watching TV instead of sleeping.”
Jeff: Both of you make great points. This is Jeff. It’s all going to boil down to trust. I think customers and clients have a very reasonable expectation these days that your organization is or has done everything they need to do to keep their private information safe. And there is that expectation. Nobody wants to be the company that has egg on their face. What’s the question that you usually hear, “How could they let that happen?” And so, you apply that to Marriott, Equifax, and some of the others. I imagine most of those companies have rebuilt where they are. But in the short term, who wants to be that company that everybody in the world is saying, “Gosh. They’re a big company, they’re really well-trusted, but are they not smart enough to take all the precautions to make sure that this kind of thing doesn’t happen?” So it can get really to something very simple, and it’s usually about the trust.
Justin: This is Justin. I was just going to make one other point, which is, if you are going to sell the business at some point in time, or the company’s going to be involved in a deal later, or an acquisition, having good cybersecurity practices will make the privacy and cybersecurity due diligence go much smoother. And if you’ve had a previous breach, or you have bad cybersecurity, or you don’t take care of personal information, that can affect the valuation of the company, as well. In doing a lot of M and A work, I’ve seen, and there’ve been actually major companies and acquisitions, one of them Yahoo, where the price of the deal went down because there was a data breach that either occurred before the deal or during the deal.
And so, showing that you are doing everything that’s required of you under law, and that would be generally considered reasonable, can greatly affect the number of entities that want to purchase you, the amount of money that they’re willing to pay for that, and the amount of hassle that you may end up having to go through, and the things you may need to agree to, to ultimately have the company be acquired by somebody else.
Megan: Definitely. I like that perspective of cybersecurity as almost a form of business capital, right? It all contributes and adds to your overall valuation, and especially your resiliency after a cyber incident may occur. So let’s move on to that. What steps can organizations take to ensure continuity of business, both during and after these major cyber events? David, I’m sure you have some first-hand experience with this being in the insurance industry. Any tips for our guests?
David: Yeah, absolutely. I think one of the things that everybody should be considering, especially if you actually are a holder of a cyber insurance policy is understanding what services that policy is going to be providing in the event you actually have a network security incident here. Really, the primary reason that people choose to buy cyber insurance is that more often than not, they simply don’t know what to do or who to call, or frankly, how they’re going to pay who they call, after a security incident of any stripe has occurred here. So cyber insurance really addresses all three of those items.
If you have something like a data breach, a ransomware attack, or a similar type of event, the cyber insurance, the carrier is going to be actively involved in that response effort. They’re going to be providing you with a breach coach, and that coach is essentially going to be a data privacy attorney who’s going to quarterback your incident response. They’re going to engage digital forensic specialists, price communication firms, notification credit monitoring companies, and companies like them. And additionally, if you decide to pay the ransom, or if you have to defend a lawsuit, or regulatory investigation related to that incident, the policy is going to pay those costs, as well as the damages and the fines that might arise from them.
When you’re actually accessing what kind of cyber insurance policy to get, one thing that I’d strongly encourage you to do is to work with brokers and carriers who actually specialize in cyber insurance and have a team or a person dedicated to working on this particular line of coverage. It’s really, it’s a type of insurance coverage that’s evolving very rapidly, and the carriers and the coverages that might have been cutting edge a year ago, today aren’t necessarily so. So you need somebody that’s staying on top of it on a regular basis here. So that’s just one little piece of advice I’d give regarding that.
Justin: Yeah, this is Justin. I would also add the business continuity in some sense is the general thinking about sort of what’s going to happen when those things occur. I think having insurance in this scenario in which there’s a potential breach or some type of technology or security incident in which takes down systems is absolutely critical because they will get the people and the manpower in place to assist you with that. But the insurance company can only do so much. They can only get a forensics company there to do response. They’re not going to be able to set up an AWS instance for you or migrate your data somewhere else, but they’ll pay you for the damages that result from the downtime. So having that kind of plan in place, and really testing it.
So we see a lot of companies who have a business continuity plan that they’ve copied from the internet somewhere and it just says, “We will restore operations,” but it doesn’t talk about how the company is going to communicate if it’s email systems go offline, and do they have some other out-of-band method to communicate with each other while systems may be down? Do they have an alternate data center? Do they know how quickly, in terms of time it would take, to restore from backup? Are they offsite backups? And has anybody ever tested trying to restore one of those systems from a backup? I think those are all things that need to be physically performed as opposed to esoterically thought about. Because when an incident occurs and the guy is trying to restore it for the first time, a lot of things can go wrong. And that can stretch out the time that it takes to restore things, and by doing so, stretch out the amount of losses that a company may experience. And those may be insured losses. Some of those may not be insured losses.
But that stuff can’t sort of make up for the reputational harm if your entity is down and you have to tell your suppliers or your customers that you’re not doing business at that point in time. So having the insurance, but also having the efforts of the company to make sure that you know what you’re doing when something like that occurs are, in my opinion, extremely critical.
Jeff: I’m guessing all of our listeners have figured out by now that having a plan in place before an event is clearly something that they need to be thinking about and setting up for. And I just support what both David and Justin have said. All that planning from the communications and the crisis response area, really it is primarily for you to have a very speedy and very accurate communication, whether it’s going to be only internal, or internal and external, or whatever. Because the whole point and the whole goal of it is for you to be able to control your message. You want to be able to define what is happening, what happened, what occurred, and not let somebody else define it for you. Particularly plaintiff’s bar. If you have big cyber event and it’s enough that it attracts the plaintiff’s bar, and they’re talking to the press, talking to customers and things, and you’re not saying anything, or you’re waiting and investigating, everybody else is controlling your message and you’re not involved. So that would be one of the top things that people probably need to think about.
Megan: Yeah. Jeff, let’s talk more about that. So if a breach does occur, do you recommend using an internal or external PR team to help with notifications? Like, what are some of the basic elements of what that communication strategy should look like?
Jeff: Right. The decision whether you’re going to use an external agency or your own internal people, really is going to be determined by the size of your company and your financial situation. Personally, my default would always be that you would want internal folks. You’d want your own people sort of defining that message, sharing that message and giving the message. But sometimes that’s just not practical. I mean, there are a lot of companies that just, to have a full, dedicated internal communications team, or external team, just it can’t be. So in those cases, absolutely, you’d need to get an external agency. And there’s hundreds of them out there. A lot of them are very, very good. I would say as part of your communication crisis response plan, having an agency or a consultant pre-identified would be something key that everybody needs to do to get that expert to come in and give you advice.
In this realm, there’s a whole list of things that probably need to be considered. Who’s going to be your spokesman, whether it’s going to be the CEO or the CFO or the CSO? Any number of possibilities are there, which are going to be determined by the culture of your organization. If you have a CEO who is regularly tweeting about the business and is on Facebook talking about the latest and greatest for your organization, you’re going to want that CEO to be the face of your crisis response. If you’re a little more low keyed and your CEO likes to work behind the curtain, great. Have an agency do it or maybe you have one of your senior legal people or someone from HR, it can depend. But again, these are all things that people need to think about before the crisis occurs and not after.
I will throw out there, just a little pitch for our listeners, that later today there will be a very brief little blog posting with some tips about communication and how to build your crisis response plan. All you’ll have to do is go to infosecpkstage.wpengine.comblog and it’ll be right there, and there’s some good information for you there. There’s some really good links to the people that taught me everything I know about crisis response, and there’s some good information there for folks.
Justin: This is Justin. I would just say, also, we typically recommend that any entity that has a data breach, if it’s something where there’s a potential that it will have media involvement or require the notice to a lot of people, like over 100,000, probably to involve the assistance of an external PR firm. And really, the main reason is that internal marketing departments are typically focused on the marketing of the company and the sale of the products or services of the company, and probably don’t have the type of crisis experience that external firms do. And the insurance company, most cyber liability insurance policies provide for the payment of an outside expert on PR in crisis. And so, in some respects, you might as well avail yourself of that anytime your insurance company is willing to foot the bill for that. And part of that is that those individuals are extremely experienced. They’ve dealt with a lot of breaches, they know what’s gone right, what’s gone wrong, the types of questions that people ask, the types of questions the media asks. And so, you have them involved for that reason.
But you also have your own internal marketing department, to the extent that you have one, involved, so that they’re delivering the messages to media. So you don’t want some new, outside PR firm talking to the media on behalf of the company when they’re always used to hearing from Sally in marketing, because media’s going to know somethings up, because all of a sudden John from whatever PR firm is now telling them about the breach, and so it must be a big deal if they’ve hired this outside PR firm. So there’s strategic decisions to be made there. You also want the internal marketing team to add that flair and sort of flavor that is consistent with the company’s overall marketing messaging, and the voice of the company when you’re speaking to its customers, especially in relation to a data breach.
David: This is David here. One last point I’ll make, and I know we’re coming up on time here, so I’ll make it a quick one here. I think when you’re talking about who’s delivering these messages here, I think there’s some element of pause that you want to take when you’re going to be using that chairman of the board or a CEO or the company president or something like that to be the primary mouthpiece or to speak about this particular incident. Because the moment the president or the CEO or the chairman of the board is talking about it, it becomes a news story.
There is an individual that I know who worked in the governor’s administration for a Midwestern state, and he was essentially the chief communications officer. And his philosophy was, “Good news comes from the governor. Bad news comes from the undersecretary of agriculture,” or something. The moment you get the big dog in front of the camera, you’re giving the story more light than it necessarily has. And ultimately, if it’s a bad enough situation, there’s going to be a time and a place where you do need to bring in the leader of the organization, and there’s times where it’s appropriate to do that. But just understand that the moment you have that person in front of the cameras, or being the primary mouthpiece, you’re giving the story maybe more legs than it would have had otherwise.
Megan: Thanks for that, David. So we are about out of time. We just have a couple of good questions that came in, and I’d like to give you guys the chance to answer them, if you’re up for it. The first one came from James, and James is asking, “Are there any positive takeaways from security breaches where the security team can gain a little leverage with the board for improving security posture?” He’s implying it’s an “I told you so,” moment. But how can someone leverage maybe one of those situations to help gain a little bit more priority at that top level of the organization?
Justin: This is Justin. I don’t think necessarily the, “I told you so,” approach works, and I think that’s what you guys are saying, is that’s not the approach. But I think these are the perfect events to say, “Look, everything’s not great. You know we had this particular event. There are things that we had on our strategic plan that were identified in our risk assessment.”
The other thing is that, in terms of sort of litigation that arises out of this, if there’s a breach that occurs, or a security incident that occurs that affects me, for example, and I go hire a plaintiff’s attorney, what I’m going to look for is that you had a risk assessment in place that said there was a risk at the company, said you needed to fix it, it was a critical or a high risk, and the company made the decision not to fix it. And that means that you weren’t acting reasonably, that you potentially were being negligent in your cybersecurity measures. And so, sometimes I tell people, “The second that you have somebody deliver that risk assessment to you, you’re sort of foisted this obligation to fix those things, because if something bad happens and I subpoena that risk assessment, and it shows that you knew about these risks for four years and you didn’t do anything about them, well, that’s really all you need for a negligence case.” So using the breach that might occur and using the other documentation that you have to show, “Look, this was a risk we knew about, or maybe it wasn’t a risk we knew about, and that’s even more the reason that we need to institute additional controls in place.”
And part of it is that each breach is supposed to have a lessons learned after it. So as part of the incidence response plan, you do a lessons learned, and part of that is what you need to improve to ensure that a breach doesn’t occur again. And you’re going to be asked that question by any regulator that’s involved in a breach. So any state attorney general that you send notice to, they’re all going to ask you, “So we see you had a breach. What are you guys doing to make sure that it doesn’t happen again?” And if you don’t have a good answer to that question, that might be them opening a bigger case to say, “Well, apparently they don’t care about cybersecurity because they’re not doing anything to improve it.”
Megan: Thank you for taking that question, Justin. And in the effort of staying on time with the rest of our days today, I think I’m going to go ahead and wrap it up. If you do have any additional questions for us, please feel free to reach out to us directly. We will be emailing a recording of the webinar later sometime today or early tomorrow. You can reply with any questions for our panelists right to that email, and we’re happy to take those as they come in. And as Jeff mentioned earlier, his crisis response tip sheet will be posted to our blog later on today, as well. And that’s just the infosecpkstage.wpengine.com/blog. Thanks so much for joining everyone. I hope you found this worthwhile and everyone learned a little something. Enjoy the rest of your day today.
Chris: This concludes today’s episode of CyberSpeak with Infosec Institute. Thank you all for listening. Remember, if you enjoyed today’s episode, you can find many more including webinars, tutorials, and interviews with security thought leaders, by visiting infosecinstitute.com/CyberSpeak for the full list of episodes. To see our current promotion for podcast listeners considering a class sign-up, please check out infosecinstitute.com/podcast to learn more. Also, if you’d like to try our free security IQ package which includes phishing simulators you can use to fake phish, and then educate your colleagues and friends in the ways of security awareness, visit infosecinstitute.com/securityIQ. Thanks once again to our guests, David Kruse, Justin Webb, and Jeff McCollum, and thank you all, again, for listening. We’ll speak to you next week.