The following article was made available and moderated by Ray Paprocki, publisher and general manager at Columbus CEO. In this article, Ray interviews Tom Skoog, the Cybersecurity and Data Management practice leader at Blue & Co., LLC.
Columbus CEO Virtual Roundtable: Cybersecurity
The U.S. government recently blamed the Russians for a major hack of federal agencies and large companies by compromising software made by Texas-based SolarWinds. Some have called the massive breach the Pearl Harbor of American IT.
This cybersecurity crisis is just one more reminder that business owners and executives should focus intently on protecting their data and networks.
Columbus CEO discussed key issues involving cybersecurity with representatives from Affiliated Resource Group and Blue & Co. during a virtual call on Feb. 2.
Here is an edited and condensed version of that conversation. Transcript provided by PRI Court Reporting.
Ray Paprocki (CEO): What can businesses learn from the SolarWinds attack?
Michael Moran (Affiliated Resource): This is just an example of things that have been going on for a long time. If you look back to last year, FBI Director (Christopher) Wray stated that half of the ongoing investigations the FBI was looking at had to do with intellectual property theft–it had to do with access and cybersecurity issues.
Executives rarely ask IT professionals what are the tools that you use to support and manage the business. I think they need to have an annual risk assessment. They need to start looking at their IT operations, not from a negative but, hey, where might we have some holes that we can protect.
As an executive, you need to be asking more questions about the status of your IT. Many executives aren’t comfortable with IT, so they assume it’s covered. You have to ask. And then I think that executives need to inspect what you expect. If you’re expecting your organization to be protected, how is your team doing that?
Thomas Skoog (Blue & Co.): What organizations can learn from this is they really need to make sure that they’re managing the risk of their vendors. Imagine if what happened to SolarWinds happened to Microsoft, or to Apple, or Adobe, or SAP, or Oracle. And it’s also not just software that this can happen to. There have been several examples of microchips being infected with malware inside of hardware.
So what are some reasonable things that you can do? I think the ﬁrst is to acknowledge that this happened, and it can happen again. Second is to understand from your software vendors–your key software vendors or other key parties that can have an impact on your network and your systems–what protections have they put in place to identify and detect and respond to this type of supply chain attack.
And ﬁnally, I think you need to have a quality backup strategy and test your restorability of that plan. And that you have got to change your paradigm from not if we’re breached, but rather when we’re breached and have well thought-out plans that are tested to respond to that breach.
CEO: What are a handful of key questions leadership should be asking, and what are the answers that might cause them concern?
Skoog: Are they setting the appropriate tone at the top about security? Do they have an appreciation for the sensitivity or the conﬁdentiality of their data if the data was lost or the integrity of the data was compromised? What kind of impact is that going to have on the business?
From there, I think they can start asking the questions about what are we communicating to our employees about the criticality of that data and setting that tone at the top so that employees realize they need to properly protect this data because it’s vital to the survivability of the business.
And I would ask the IT folks what is being done to properly protect our data. I think this is where it’s probably advantageous to–especially for a small business that is relying on a single IT person–to look outside your business for some help. It might be just simply, hey, what are the 10 or 15 questions I should be asking my IT person, and what kind of answers should I be expecting? Your accounting ﬁrm should have somebody that does that.
Moran: What are we trying to protect? Some companies, they’re trying to make sure they’re protecting their productivity, because they don’t want any down time from their systems. Other companies have to balance protecting their data–for example, companies who work with consumers, in the health care or ﬁnancial services industries–and protecting the productivity of their systems. Others have intellectual property they’re trying to protect in addition to protecting their productivity.
Are our systems prioritized? Then start looking at what are the threats to our organization. If you don’t understand that, you can’t have a level of protection for that. How comfortable are we with our ability to detect and respond before it’s too late?
And then there are questions about an incident response plan. How are we going to respond when something happens? When did we have our last risk assessment? When we start with new customers, that’s one of the questions we ask, and very rarely have they had a risk assessment done in the last two years. And I think in today’s environment that’s a risk.
Skoog: It’s important to make sure you’re asking those kinds of questions to the right people. It’s the CEO, the CFO, the owner. I don’t think you can rely on your IT person unless they’re having several conversations with those executives to answer those.
Moran: I did a presentation about a year ago and it turned out about 80 percent of the people in the room had HIPAA regulation requirements, and they didn’t even realize it until I asked and then explained it to them. And there were some very interesting looks among people in the room, like holy moly, we’ve got some work to do.
CEO: How has COVID-19 impacted cybersecurity?
Skoog: Since COVID, there’s been a huge uptick in ransomware attacks using COVID as the guise for whatever the scheme is that the hackers are using.
I think another thing that we’ve seen early on when a lot of companies went remote was they weren’t prepared to have an entire workforce go remote, so they had employees using home PCs to access their network, and those home PCs didn’t necessarily have the protections on them that their work PCs did. Most of those companies went ahead and procured laptops and then conﬁgured those laptops appropriately.
And I think a lot of companies have been pleasantly surprised that moving to a remote environment wasn’t as difﬁcult as you might expect it to have been. The investments they had to make were maybe not quite as onerous as they thought they would be.
Moran: Between January and early February (2020) there were like 1,200 URLs registered that had a tie to COVID or coronavirus worldwide, and you’ve got to believe that not all of those were done for a positive registration.
Longer term, we’re working with organizations now that are trying to look at their infrastructure and their networks and determine how are we going to handle this potential quick ﬂip of what goes on in case something else happens. What is their strategy with their infrastructure? Are we able to make quick changes like we had to do there? Are we in a position to help support those things?
CEO: We all know the importance of training. Are there any examples that prove to be most effective in getting people not only to understand the information, but also to apply it beyond the training session itself?
Moran: It’s regular training and then it’s also reminders via simulation. It’s maybe a 15- or 20-minute video they have to watch with a little quiz that follows it. And then they get, on a regular basis–and in many cases it’s speciﬁcally tied to not only their role in the business, but the department they’re in–phishing simulations. Where they get attempted emails to go through. You ﬁnd out who some of the folks are that are risky clickers.
Skoog: Find that line of not over-communicating, because at some point people will start shutting that off. But also not under-communicating the importance of good cybersecurity practices. And just doing it annually is certainly under-communicating.
CEO: Is there anything that we haven’t addressed that you think is important that you want to share?
Moran: You’ve got to have a response plan put together as an organization, and you really have to have that in place today. Sometimes people say, well, I got an IT provider so if I have a problem I call them.
OK. That’s part of it. But do they have a plan to help you get that done? What are we doing on a day-to-day basis to protect our systems? What are we going to do when we realize we have an issue? How are we going to respond? What are our steps going to be? What’s the plan to get it ﬁxed? And there would be more requirements depending on the type of organization you are. Because if you have regulatory requirements, you have to do additional things to determine what’s the effect of things.
And you have to have a communication plan. And that communication plan can be as simple as who are we going to contact and when? Many companies have cyber insurance. So you may need to call them to let them know you had an issue. You may need to call your internal teams; you may need to call some external folks. You also need to start crafting a message to your staff. What are you going to say? The last thing you want is one of your customer service people saying, oh, I’m sorry, I can’t help you today because we had a ransomware attack and our systems aren’t working.
Skoog: I’ve been to banks that have a breach notiﬁcation policy, but they don’t have an incident response plan. We’ve been infected with ransomware, we’ve had a breach and we’ve lost data, somebody lost a laptop. What’s our response plan to that?
And these plans really should consist of kind of four macro-level stages. Identiﬁcation: Identify what happened, identify who you need to talk to and who you need to communicate with. Containment: How do we make sure that this breach hasn’t gone any further than it has to this point? Eradication: How do we get rid of it? Recovery: How do we get back up and running and sort of something that resembles normalcy?
Mike mentioned one of those communications probably is immediately going to be to your cybersecurity carrier. Those cyber carriers are going to tell you the next two phone calls you’re going to make are to this law ﬁrm, because everything that you’re going to do is going to be under attorney-client privilege. And secondly, it’s going to be to this forensic ﬁrm to ﬁgure out what happened, ﬁgure out what the extent of the damages have been or the consequences have been, and then how to move forward.
And at a minimum, annually you should come up with some scenarios of, OK, let’s talk through what we would do if we had a laptop stolen. IT person, what’s your responsibility? CEO, what’s your responsibility? Who’s making the ﬁrst call? Who’s making the second call? Because without doing that, the chances that you’re going to actually execute the plan accordingly are going to drop pretty precipitously.
Moran: One of the things that we went ahead and did is we put together, for what it’s worth, a little white paper that you can get on our website that’s kind of a framework for developing your incident response plan, and that’s been pretty well received.
Skoog: I think one other thing that companies ought to be doing is really keeping an eye on regulatory changes inside of their industry.
They’re happening consistently, and the industry that’s struggling with it right now is the construction industry, particularly if they’re doing work with the Department of Defense. Because the DOD has come out with some extremely demanding security protections that are in place if you’re part of the DOD supply chain, and they are going to be having third parties come in and assess, eventually, your compliance with these requirements. And if you’re not compliant, you’re not able to bid on new contracts.
CEO: What’s coming next?
Skoog: For the last few years the type of attacks that companies had to worry about haven’t changed that much. It’s getting phishing emails and having those phishing emails deliver malware or ransomware. And now, the sophistication of those emails maybe has changed, and the sophistication of the ransomware and the malware has changed, but at the end of the day those are still the top risks that organizations need to worry about.
But I think just as they start getting to a point where they ﬁgured out how to manage those risks to an acceptable level, the new risks they’re going to need to start thinking about is how artiﬁcial intelligence is going to be used to continue to do these phishing expeditions or those social engineering exercises.
I’ve heard of where through AI the bad guys are taking video or voice of somebody inside your company. For example, if somebody in XYZ company gets a video of what appears to be me or a voicemail of what appears to be me saying we need you to do the following, and they’re going to think, well, jeez, it’s Tom, it must be legitimate. So how AI is going to be used by these bad guys is going to be the next technical issue that companies need to deal with.
Moran: I mean, if you think about all of the robo calls that you receive on your cell phone, in many cases those robo calls are trying to get you to say yes or something else so that they can use the automated attendant at organizations to validate things.
So, for example, if they’re going to commit fraud using your American Express card, in many cases American Express expects you, if you’re going to go in and change account information, you have to state information, and you have to state the word, yes, we’re acknowledging you can do this. So those are things that are there.
I also think at a next level there’s data stealing. Yes, they want ransom.
But I think the bigger value in that data is looking to understand trends and things that are going on to make further connections so that they can build a package and gain a competitive advantage–whether it’s in ﬁnancial services, in your consumer goods scenario, whether it’s who’s buying information or who’s buying things from you. All of that information, it gives them a competitive advantage if they have your customer list and they have all of your invoice recognition.
The more data folks can steal, the more things that they could do with that data and start building up their own competitive advantage, and you don’t even know that they’re doing it.
So that idea of protecting your systems and protecting your data–companies that just think, hey, we’re just a simple manufacturer, we manufacture business-to-business sales, we don’t have anything we need to protect.
In reality, there are other companies that are your competitors. They may want to know that information. And if somebody steals that data and they have a smarter way to compile it and use technology to get it done, they might have a better way to go after your customers or position themselves to be a better price perspective in terms of that, or better delivery means.
So, again, people have to really be cognizant of what they used to think really didn’t matter is more important today because of advanced technologies like AI and the analytics activity that’s going on. Because everything is being studied today down to the most minute transaction. And the more information people can get, the more factors they can add into the systems and start to see more and more opportunities or more and more risks in terms of ways to create a competitive advantage.
CEO: Well, a fascinating thought to end on, and a little scary also. Thank you.
About the Cybersecurity and Data Management Service Line
At Blue and Co., LLC, our professionals, through their diversity of experience, can assess the likelihood and impacts of a cyber breach, a prolonged processing interruption, the operational and cost effectiveness of your IT environment, and the impact of certain federal regulations on your business, such as HIPAA, PCI, FISMA, etc.
We also help you improve your business performance through strategic deployment of your limited IT resources by assisting with strategic planning, development of operating models, sourcing decisions, and other technology advisory services.
For more information on this service line, visit the Cybersecurity and Data Management page.
About Tom Skoog
Thomas (Tom) Skoog has more than 29 years of experience providing information technology services to a variety of industries including healthcare. He previously served as a partner at an accounting firm where he was responsible for the IT risk and audit practice for the offices in the Michigan, Ohio, Indiana and Kentucky business unit.
Tom was responsible for delivering both external and internal audit services along with other advisory offerings including cybersecurity and data management, system controls integration, strategy development, project management, and helping clients comply with a variety of regulatory requirements including Sarbanes-Oxley, PCI, and HIPAA. He was a member of the national HIPAA services team, which was responsible for working with HHS/CMS on the development of audit protocols to be used by CMS in assessing HIPAA compliance. The team also conducted the initial 100+ audits and used the results to adjust the audit protocols with CMS officials.
Tom received his Bachelor of Science Degree from Northern Michigan University in 1987. He serves on the Board of Directors for LifeCare Alliance, which is the parent organization of the Meals-on- Wheels program in central Ohio, one of the largest in the country. He serves on the Finance and Technology committees and chairs their Risk Committee.