Corridor experts offer insights, advice for fighting “real and large” cyber threats as part of the CBJ’s second-annual Cyber Security Breakfast.
By Katharine Carlon
Maybe it’s China using open remote access to steal your customers’ personal information. Or maybe it’s one of your own vendors using ransomware to snatch credit card numbers.
Those were just two of the random, fictitious attack scenarios attendees at the CBJ’s second-annual Cyber Security Breakfast generated by rolling specially made dice, before asking a panel of experts to weigh in with possible solutions.
The rolling of dice was an apt metaphor for a cyber environment where massive breaches, hacking and ransomware attacks make the nightly news regularly and keeping data secure can feel like a game of chance.
“Do not be negligent – the threat is real and it is large,” said Shadrack Roberts, a cybersecurity and privacy official and chief information security officer with HQ Army Sustainment Command – one of five panelists offering their cybersecurity expertise at the event, held Nov. 1 at the Cedar Rapids Marriott.
“For many of those mid- to small-size companies in this Corridor, it’s a daunting task when you have companies like Equifax that are getting breached,” Mr. Roberts added. “The good news is, there is help and you are not alone.”
That message – that the threat is real, but one that can be mitigated – came through repeatedly as part of the discussion, presented and moderated by ProCircular CEO Aaron Warner, and sponsored by ImOn Communications, along with sponsors Grinnell Mutual, Involta, RSM US LLP and Wellmark Blue Cross Blue Shield.
Below are a few of the highlights from the panel, which also included Mr. Roberts, Jane Drews, chief information security officer at the University of Iowa; John Henk, senior vice president and chief information officer, MidWestOne Bank; Andrew Neller, information security manager and security official, Wellmark Blue Cross Blue Shield; and Travis Wendling, manager, risk advisory services, RSM US LLP. Responses have been lightly edited.
What are the basic things the business community needs to think about when it comes to the fundamentals of cybersecurity?
Jane Drews: Make sure you have a solid inventory of all of your devices – where they are, what they’re used for – and, even more importantly, know where all your data is. People tend to like to pull data down to their desktops and maybe that’s appropriate, maybe that’s not appropriate, but you need to really know where your most sensitive data is so you can ensure that appropriate controls are put around it.
John Henk: Just getting people to get stuff off their desktops and to a location where it can be backed up is huge. If you can just get to that first step, that’s a lot.
How do you classify data? It’s one thing to know you have sensitive data; it’s another to know who owns it.
Shadrack Roberts: We have a very strict standard of classification [in the Department of Defense]. Whatever your sector is, whether it be health care, banking … it’s not just what you have, but why would someone want to exploit it or why would they want to get that data, and what would be the damage to you or the liability to the firm?
Jane Drews: Something we’re working through is the use of cloud applications. A lot of people are migrating to [cloud] service providers. Trying to keep track of that data that’s harder to inventory and what kind of classification data is going where is very important, because ultimately you’re responsible for it, even though you’re hiring a third party.
Travis Wendling: If you have really sensitive data, being able to segment that data off and paying attention to it closely – monitoring it without having to monitor your entire environment – is extremely important and will allow you to really secure what’s in front of you. Look at what are you trying to protect. Are you trying to protect your consumers’ credit card data? Their [health] data? What I’ve seen in the past when people try to classify data, they tend to overclassify data. When you start focusing on what’s important to your organization and what are you trying to secure and protect from a malicious user, then that small segment is easier to protect than the entire environment.
Where do you turn for insight into cybersecurity topics?
John Henk: For us, we go to a Financial Services Information Sharing and Analysis Center. That gives us some great insight into what’s going on in the larger environment. But I will say for small businesses out there that are really trying to get their arms around how to start with some of this, the FTC [Federal Trade Commission] has some great materials on their website. If you’re at a remedial level and don’t know where to start, there’s some really good guidance on cybersecurity. They basically walk you right through the process.
Jane Drews: Get your people involved in some of the organizations that are out there, like Information Sharing and Analysis Centers. … If you get people certified, they get access to a wealth of information and a community to bounce ideas off of and to.
Travis Wendling: One of the places that is kind of unconventional that I gain a lot of information from would be Twitter. There’s a lot of information and a lot of it is changing quickly.
What is your approach to cybersecurity insurance and what role does it play in your approach to risk?
Andrew Neller: You need to read the fine print. There are some really unique exclusions or provisions in cyber policies. One of them that I’ll name specifically pretty much says if you had someone that got phished or someone that was clicking on [something they shouldn’t], they actually count that as “collusion,” which voids your policy. So you really have to make sure you’re doing your diligence to ensure you know what you’re getting and you know what’s covered.
Shadrack Roberts: I don’t have cyber insurance because my insurance is your tax dollars. The reason I want to make this point is I have 50 attorneys I work with regularly on Army contracts … and often I’m put into the position of making the narrative or justification as to why or why not someone was harmed. Some of the best cyber insurance is being able to have an audit log or something that shows definitively in a court of law that this never left a certain amount of control or a certain area. … It gets back to those strong controls and basic things you can do that in some ways are cyber insurance.
How are you thinking about the Internet of Things and how best to approach that from a cybersecurity perspective?
Jane Drews: At the University of Iowa, we’ve built a separate device net, so it’s a segmented network that these IoT devices are placed on. There are controls on communications in and out of the campus network for those devices, and we try to keep them separate from say, user workstation-type devices.
Shadrack Roberts: “So many devices record … Privacy today in the digital world is a façade. If you’re walking around with these devices and you’re talking intellectual property and making important decisions, I would treat those discussions just as I would if I were walking into a courthouse and you have to drop your devices and put them in a safe outside of the room. These IoT devices are there to collect information constantly, so you have to be thinking about those things. It’s not that you really believe that somebody may be recording in that room, but I would say that probably Amazon, Google, Facebook and everybody else is recording, so sometimes it’s better to take those devices, in particular cell phones, and just keep those away from the conversation.
How would you handle the breach scenario involving a vendor and ransomware?
Jane Drews: Certainly, containment is the first thing you have to do. In our environment, we would pull together a team and strategize with legal and IT and the unit involved in using this vendor. It would be working with them or a third party to do an investigation, whether it was forensic or not. We, in our contracts, make sure there are stipulations about how quickly [vendors] have to report to us, whose responsibility it is whether we indemnify them or they indemnify us … so we would be reviewing that sort of thing.
Shadrack Roberts: If the inevitable occurs and this breach happens, if you’ve been really good with your contracts you may be able to spread the liability of this exposure … to the cloud or the vendor or a third party.
Jane Drews: There’s a spectrum of that liability. We can shift all the liability in a contract to vendor ABC that’s going to process your financial data or whatever it is, but ultimately, it’s your data, your company, your image, your reputation, your customers. So there is no 100 percent liability shift.
What is the good news? What gives you hope?
Shadrack Roberts: If you’d told me 10 years ago that the boomers who were watching network news would know what the word malware means, or hacking or cyber … There are a lot of threats out there in our interconnected world, but also a lot of opportunities, and for those of us working in the field, I don’t think we could be in a better time. Don’t be afraid. Find the right people. Ask the right questions. There are going to be incidences, but there are also things we are very good at. Defending and setting up secure networks that are impenetrable, that’s not going to happen … but as long as you are leaning forward in this space, it’s a great place to be
Andrew Neller: It’s great to have the opportunities to have these conversations. It wasn’t that long ago that legal said, “no, you can’t go have these conversations. This is intellectual property, these are trade secrets,” and that wasn’t really the case. We’re helping raise the tide of all ships here collectively from a cybersecurity perspective because we’re all in the same boat.