The ROI-NJ Thought Leadership Series held a recent panel discussion, Cybersecurity: Readiness, Response and Recovery. For more information on the next event, New Jersey’s Underground Construction Economy, which will be held on May 9, click here.
- Robert Anderson, attorney, Lindabury, McCormick, Estabrook & Cooper;
- William Gayeski, director of technology, Winning Strategies ITS;
- Keith Gilbertson, account executive, Arthur J. Gallagher;
- James Mottola, director, forensic investigations and risk mitigation, Sobel & Co.
Q: Atlanta was just the latest municipality to suffer a ransomware attack. What should towns in New Jersey do before and/or after an attack?
Robert Anderson: If an attack of this sort happens, the first person you should really be calling is your attorney, because you’re going to need to conduct an investigation to determine what’s gone on within your computer system. The insurance company will want you to do penetration testing, where you have an outsider who is friendly try to get into your system to see where the vulnerabilities are. They will then produce a report showing the weaknesses you have. If you have an outside attorney come in and order that report, then the report is being provided in connection with attorney recommendations. If you have done that, then, potentially, this report is protected by attorney-client privilege. If you don’t have that, when you get sued by the many people who will come out of the woodwork, you’re sitting there with a report that says, ‘We specifically knew there were 35 problems and we only decided to deal with five and let the rest roll.’ That’s going to be Exhibit A in the plaintiffs’ file against you.
William Gayeski: I had this experience with a hospital system. They were trying to make things more efficient, trying to connect all their divisions and doctors were trying to connect to all of the hospitals in their system. And there was a rush to do that in the last five years, for efficiency reasons. What wasn’t taken into account was the exposure they opened themselves up to with the level of access that each of those accounts had. You need to be aware of this and make sure you are protected.
Keith Gilbertson: You want to make sure your product has the cyber-extortion insurer agreement. An overwhelming number of products out there will have this, but you need to make sure your broker is negotiating enhancements to this agreement. One should say you will have the cost associated with someone coming on the scene or accessing from a distance who can say: ‘This is the type of hold they have on your network. And maybe we can’t get them off, or maybe they can’t.’
James Mottola: I was on the response team for a city in New Jersey that had the same situation. What I found particularly interesting is that all the services for this particular city were connected to each other: fire, EMS, police. And, since cities receive payments and they make payments, they are open for attack. That was their issue. The other thing I took from that experience was how little funding was available for technology upgrades, how antiquated pieces of software were running and how there was no plan or money to upgrade them.
Q: How do we make sure all of our partners are following proper standards to protect our interests?
WG: We are partners with our clients. These cloud providers know they need to be compliant, and a big selling point is that they can provide that to their customers. For us, we see a very strong push to the cloud and everybody wants to be in a cloud and integrate. But, before that’s done, it’s important that you sit down with your (information technology) provider and have those discussions about the application.
KG: An integrated approach is necessary. You need an attorney. You need an IT person. You need someone who can validate and verify that everyone is doing what they are saying they are doing. One more thing: You need to know what happens if they go out of business. Where is your information? Can you get it back from them?
JM: You have to have a right to audit in the contract. You have to have a “Soc 2” report, which is standard. It will basically say you can have a third party going in to say that (the company is) doing what they say they are doing. You have to build that into the contract.
RA: In the big picture, if you’ve outsourced your data, you’re still responsible for it. So, the question in general would be whether you took reasonable steps in protecting that data in the arrangements that you made. The best time to do that is up front in the contract with that party. You have to make sure it has all the protections you need to have, based on whether you are a regulated industry or not. There are risks in transmissions, connections have to be secure, the server area itself has to be secured. Typically, cloud server companies will say, ‘This is our standard contract, do you want us or not?’ You really have to make sure it has everything you need.
Q: What are some best practices for small businesses?
KG: The biggest thing is making sure you know where your data is. Making sure that there is a segregation of data, too. Just because you’re all on the same network and all a part of the same company doesn’t mean you have to have data that can span the entire network. Personal health information is your most valuable, so you need to address (that) immediately.
JM: I’ve seen that it really starts with an employee handbook, an acceptable-use policy. I think those are the two documents that you should really put together. It will talk about things like accessing Amazon and using credit cards on your work computer. The biggest issue is data classification. Look at the information that you have, where it is, and ask yourself, ‘Do you really need it?’ You need to limit the amount of information that can be accessed. And, if you’re a small to midsize business, you need to look at it from a business perspective: How much is it going to cost to do these sorts of things, and what will happen if I don’t?
RA: There’s a tendency among smaller businesses that cybersecurity is about technology. And it is in a lot of ways. But, if you take one thing away from this conference, let this be it: 68 percent of breaches that companies experience are through authorized users. It’s your employees. You can put up all the technology in the world, you can have silos and separate the data and encrypt things, but it’s your employees, clicking on something, opening something they shouldn’t. Your employees are trained to be responsive to emails coming in. The best thing a company can do on cost-effective basis is have employee training where you show them (things to look for). That’s probably the single most important thing you can do to prevent a breach.
WG: The good thing is that already has been prepackaged for you in a company called KnowBe4. A lot of you probably have had phishing training. It’s only $20 per employee per year. The important is that you do it initially and do it on a regular basis to get those metrics on who are your biggest risks individually. It’s always the same people.
Q: Can you give us two takeaways?
JM: For businesspeople, you have to understand that cybersecurity is something you must now budget for. And, it’s important that someone in your organization is the responsible party that can take ownership of this. If you do that, a lot of these other things will fall into place. You are under attack. The likelihood of impact is up to your preparation, your planning and your response.
RA: The ‘Internet of Things’ is changing everything. We have smart refrigerators and thermostats. And, when it’s smart, it means there’s an app that is connected to your server. Those devices have not been designed for security purposes. They are designed to amuse and be consumer-friendly. That’s a new path that cybercriminals are using to get into businesses or homes, where they can access a backdoor into your system through your refrigerator or smart TV. But more than anything, cybersecurity is about making sure your employees don’t do something that they shouldn’t do.
KG: We need to figure out where we are going with data security. Facebook is really the tipping point. We need to create a culture of awareness at your company and in your personal life that you know 24/7/365 your data is at risk. It is the training, making sure people are aware what they are doing effects the entire company. I think eventually you will see cybersecurity departments are separate from IT departments, where they can report directly to the CEO or (chief operating officer). That way, they can have honest conversations about different divisions and their systems and make sure folks are being honest with the data.
WG: Sit down with your IT provider and ask them, ‘How are we protected?’ Then, see what they say back and see the different technologies that they have in use. The types of cloud-based technologies needed to secure your environment are now bite-sized, and they are reasonably priced for the small business, so you should be thinking about integrating your security no matter how difficult they are for your end users. And then look at passwords. With a $5,000 computer, you can crack an 8-character password in six hours, where with a 12-character password, it would take you a hundred years.