In this day and age, everyone is at risk of cyber threats. Small businesses are just as vulnerable to cyber attacks as much as the Fortune 500 companies. The question is, what measures should be implemented to prevent such threats? In an interesting discussion, Doug DePeppe, Hilary Wells, Ed Barkel and Bill Nelson explore why small businesses must start paying attention to cybersecurity as well as the importance of protecting their customers, their employees, and their data from cyber breach. They talk about the unseen risks brought about by cyber threats to both start-ups and major corporations and share tips on what organizations can do to enforce reasonable security measures and have a proper “cyber hygiene.”
Watch the episode:
Listen to the podcast:
Cybersecurity Panel with Doug DePeppe, Hilary Wells, Ed Barkel and Bill Nelson
We have a unique podcast. We would call this a panel. There is Doug DePeppe. We have Hilary Wells, Ed Barkel and Bill Nelson. Doug is with EOS Edge. Hilary, Ed and Bill are with Lewis Roca Rothgerber Christie. What we’re going to talk about is cybersecurity. Tell us about your business and who you serve.
We’re a full-service firm. We will talk a little bit later about how we’ve formed a strategic alliance with EOS Edge. We represent companies everywhere from banking to insurance companies to investment advisors, healthcare schools and manufacturing, everything in between. What we found is that all of our clients have access to data. That data needs to be secured. We’ve developed this group to work with our clients and help them, especially the small to medium size clients, develop systems, processes and methodology so that they can help keep their company data safe. Maybe even more importantly, their clients’ data safe.
You have been thinking about as a small business owner. Ten, fifteen years ago, I didn’t even need to think about this. I talked to a couple of groups here and their age was similar to mine. Most of them don’t use LinkedIn. Most of them don’t look at their email. What I would think is the awareness of the smaller business owner is not that high. Why did you form what you formed? What was the motivating factor?
What we did is we followed our clients and their path through data protection and cyber issues. Data protection, as far as a large industry that first encountered it, was the healthcare industry with the passage of HIPAA. As Ed said, we represent a lot of insurance companies. We represent hospitals systems. We saw that group be the first to try to tackle what information they were collecting, what they were doing to store it, then their obligations to protect it. The financial services industry was next. We had Gramm-Leach-Bliley and other regulations from FINRA come out. Our regulators are now requiring us to have these plans, these systems and these policies. How do we do this and how do we stay compliant? In the past five years, what we’ve seen is we’ve gone from regulated entities who are doing what they had to do because they were told to do so to an interesting standard that’s developed for all industries across the spectrum regardless of whether or not a regulator is directing what you do and how you do it.
It’s finding the customers or making buying decisions in part based on how are you doing in this field? If I’m going to trust you with my information, how do I know that you’re doing what you can to protect it? That’s not a Facebook problem. It’s not a Twitter problem. Businesses of all sizes have employee information. They have customer information. They have information to be protected. What we’ve done is we’ve transitioned from advising on what the law is, which can be daunting to bringing to the table for our small and mid-sized clients an opportunity for them to assess what their particular risk is and how they can try to mitigate those risks.
For the small business owner, did they walk into this or where they drag into this?
I would say both.Good 'cyber hygiene' is essential for every data security. Click To Tweet
We think about the hacks that happened in some of the retailers or at a hotel chain or some of the others. It’s not typically what I would think of as a small business owner. I was there buying a pair of socks. All of a sudden, my data’s out in the breeze. For you guys, are you predominantly front range? What’s the extent of your coverage with your firm?
We have a Southwestern footprint. We have offices in Colorado. Our home office is in Arizona. We office in Nevada and California as well. California has jumped feet first into the data protection and privacy issues with enacted law. We see lots of development as far as standards. Again, what do you have to do? At the same time we see clients trying to do the right thing and to understand what their risks are. You mentioned something interesting how does this come up in these large breaches where I purchase some socks. Doug can speak to the type of encounters that small businesses have with Ransomware and other forms of mischief that create real problems if you’re trying to get access not only to your customer information but to your AR system so you can get your bills out and get paid.
Thanks, Hilary. There’s a notion out there that I’m not being targeted, it’s someone else’s problem or my business is not likely to be attacked. What we’re seeing on the dark web or the darknet is that there’s a hacking for sale as a service. There’s a whole black market where hackers are selling their services to others. Some of these organizations have the massive capability to break into search engines, for example and to attack whole countries based upon IP ranges. It’s dragnet. It’s not about, “They’re not going to look at me.” It’s not remaining under the radar. You could be swept into a dragnet attack because you have a vulnerability that someone is looking for.
I am thinking back to the small business owner. I’m the business owner and I go, “I change my password regularly. I’ve got a Comcast or another provider for my internet security. I have a router and stuff. I try to back up my data periodically to one of the backup services. Am I still exposed?” What would you say to that business owner that says, “I got this covered”?
Being secure on the internet is frankly not possible. It keeps changing. You can be up with compliance and what the current best practices are. There’s something called a zero-day exploit. A zero-day exploit means that someone’s figured out that there’s an exploitation of a vulnerability that no one knows about yet. They developed a hacking methodology to exploit that. That’s called an exploit. It’s not possible to be secure, which is not saying, “It’s a losing battle.” The name of the game now is being resilient, being able to withstand attacks, detect incidents and anomalies and being able to recover quickly.
In the military, we used to call it the tallest men in the foxhole. If you have zero protection and zero things done, I would think that you would be an easier target than somebody that’s done something.
It’s trying to be as the joke goes “Faster than the next guy when the bear is out there.” You don’t want to be the low hanging fruit. We’re going to talk more about cyber hygiene. If you have a baseline level of security and you’re resilient, then you’re going to run a little faster than the next guy.
We did mention it that Doug is with EOS Edge. We’ve been talking about the law. Everybody here is an attorney except me. I can’t even talk that much. In thinking about that, you just don’t do the law though. You also do practical help and remedies for the business owner and suggestions to help them understand what they can do and what their risk might be.
One of the value adds that we’re trying to bring is not only tell the client what the new law in Colorado is, what the new law in California is but to take themselves from being low hanging fruit and move forward. Some of that’s education as to what the potential risks are, what steps they can take to protect their data and what they can do with their employees to help their employees help them build that firewall against an outside attack. Frequently, it’s not a hard attack that gets a good company, it’s mistaken by the employees who let the hacker in.
This education and value-add was part of our goal. We’ll also talk about cyber insurance, what steps you need to take to put that policy in place, have it stay in place and have coverage. We’ll talk about what those costs are. It’s to help the client, the small business owner, understand that they do have assets to protect. They do have a reputation to protect. As Hilary said earlier, there’s buying decisions happening now that are based upon a safe company versus an unsafe company. We want our clients to be able to be a safe company so that they protected their data, they have good cyber hygiene and we’ve given them that value-add.
In the transition world for businesses, there’s also that discussion about intellectual property and how to protect it. We talk about outside actors. There’s also the inside actor that can take and go in. When you guys are looking at companies that you touched on some that are coming to the marketplace and looking at policies, procedures and intellectual property protection, what are you seeing from the buyer’s standpoint? Are they starting to focus more and more on that?
They are. We’re seeing that as part of due diligence in mergers and acquisitions, financial audits have always been the standard for what we need to have in place, get through, have the professional’s opinion on before we close the deal. What we’re finding now is there’s also a need for a cyber audit because as you take on somebody else’s infrastructure, their employees and their systems, you very well may as large hotel chain did buy into somebody else’s cyber problem, not realizing that you’ve done so. There is a lot of places that this piece of work becomes important. From a business perspective, it’s not a matter of, “Am I going to get sued? Is there something bad that’s going to happen?” It’s “What do I do to protect and add value to my business and make sure that I’m appropriately valuing what I’m considering either acquiring or selling,” as you’ve said.
It’s just good business.
Having come out of some of the M & A work in my early days, one of the things we always looked at was, “I can do an asset purchase or I can do a stock purchase. If I do a stock purchase, I buy all the problems.” Now in the cyber world, buying the assets doesn’t necessarily insulate you. In fact, you may be buying into that hotel chain problem. Having that search done, having the review done, looking at the policies and procedures that the company had and going through an EOS Edge review to see why their CyberGaps is important. We think that going forward, even the smaller businesses, whether it’s Baby Boomers looking to transition out of their business, need to have done the housekeeping to set things up so that they can sell the business for the greatest value.There are problems you can't solve but can mitigate. Click To Tweet
Hilary, what pushed you to go through this data protection and cybersecurity side?
It did develop from representing groups in highly regulated industries that were coming to grips with our legal requirements. As we saw the requirements in the new Colorado law that applies to all businesses concerning the need to protect client information to make sure that it’s disposed of appropriately when it’s no longer needed, we had an opportunity to stand back and say, “If I were the business owner, has Lewis Roca Rothgerber Christie answered my problem?” What we found is we were able to and did very well give the legal advice around what you need to do in order to be in compliance. The business owner is looking at it and saying, “What’s my problem? You’ve told me that this is a problem, but how is it in my business a problem and what can I do to improve it?”
It’s the reason we’ve reached out to Doug DePeppe and his group who’ve got the real technical expertise, background and consultants who can evaluate what is your risk given the business you’re in? If you’re a tow truck company, you’ve still got risk. It may not be the same as the risk of a bank that’s got an intellectual property that it’s protecting for itself or others. With his ability to assess what the risk is and what can be done to improve, we found we became a full-service partner for our clients because we weren’t reporting on a problem that they read about every day. We were also bringing in, “This is what you can do in order to manage the problem you can’t solve, but you can certainly mitigate.”
Doug, for you, how did you get down this cyber road?
I’m retired military. This is the way that we practice law in the military. It occurred to me that you do a lot of work and sessions with new businesses, ventures and opportunities. One of the maxims, if you’re going to start a new business, is what’s my differentiation? What’s my value proposition? There’s a phrase called having an unfair advantage, which is a good thing if you’re opening up a new business. I looked at that and felt that the best cyber firm was a cyber law firm. The reason for that is there are certain advantages. First of all, lawyers have to do what’s in the best interest of their clients. We’re ethically bound to do that.
We’re not hawking a service or a product or looking at our line card for our partners to fit that into a particular opportunity. We’re assessing and solving the client’s problems so that’s one feature. The other feature is that especially in cybersecurity, businesses are trying to figure out where to start, what’s enough to spend and what’s enough security? Those are delicate conversations. Being able to have that conversation and provide expert advice in a confidential setting is something that other cyber vendors can’t do. We bring all that and we do it from prevention all the way through an incident response. That’s why I got into this space.
What Hilary was talking about is this tool we developed, which is CyberGaps. Ed mentioned it as well. It’s an assessment methodology that is quantitative. In other words, we’ve been talking a lot about risk. How do you measure risk? How do you know when something is enough? We identify the gaps. We score them. The score is based upon something like efficacy data. It’s based upon a data that’s out there in the marketplace. It shows what’s effective. We scored controls so that when we go into a company and we do an assessment, we can tell them exactly what they need to do to get to a targeted score based upon math. That’s defensible. Their decisions on what they’re going to do and whether enough is enough, they can back that up based upon data.
I’m the business owner and I go, “Not only do I have a gap, but I’m also clueless.” I know I need to do something to the issue’s resolution and you guys come in. What should I expect when you walk through the door? How long are you typically in my company? Walk me through that so I would know what to expect.
I’ll start by the end. We want at the end of the assessment to give you assurance and defensibility that your roadmap going forward is logical and defensible. How do we get there? We start out by looking at the organizational profile. In other words, there’s an inherent risk based upon the business you’re in, certain of your practices and we would develop an inherent risk score. That provides us their target. It’s high, medium, low. What risk are they in?
What would be a high industry? What would be a low industry?
It’s a factor space. For intellectual property, do you have a lot of intellectual property? Are you engaged in a lot of financial transactions? These are all the elements that create risk. There are certain sectors that they have a high propensity for being attacked. As the saying goes, the 1920s, 1930s, “Why do you rob banks? Because that’s where the money is.” Those factors, are you a target for those reasons? Once we profile the organization, we do a full assessment. It’s holistic. People call it 360 or holistic. It doesn’t look exclusively at the network. It looks at their sales practices, their HR practices. Do they have committees that oversee or not? Once we’re done, we give the report that spells out, “Here’s your current score. We’re going to put you on a maturity model,” meaning here’s your roadmap floor. Let’s say the results of the assessment and the scoring is based upon a 1.0 index. Let’s say your 0.65 and need to get to 0.7. Two-Factor authentication is worth 0.06. Do the math. You just hit your 0.7. Your decisions are defensible. You’ve engaged in a logical assessment to arrive at this road map.
For the business, looking at it, we have to do cyber insurance one way or another. They come through and use your Gap tool. Do the insurance companies recognize the ranking for cost reduction or whatever?
The insurance companies, when they are doing what’s called the underwriting of the policy, they’re asking a lot of questions around what are your networks, what are your practices, what are your procedures? How many records do you have? We find that sometimes we’re asked to get involved because of an insurance application. The smaller mid-sized business owner doesn’t know the answers to these questions. They may be Cloud-based. They may be using other services. What they’re finding is their insurance brokers are coming to them and saying, “This is a risk you have that is probably not covered under your regular liability insurance. You need a different policy.” When they’re going through the process of trying to get that policy, they are learning, “We don’t know very much or maybe as much as we would like to know about our system.”
The type of assessment that Doug is talking about drills into what is out there, how at risk are you and what can you do to manage forward. Any insurance company is going look more favorably on an applicant who is proactively looking at their risk profile and managing it rather than an applicant who may not know what their risk profile is and candidly might not be able to answer the questions correctly in the cyber application. This is circling back to where Doug was talking about reasonableness and defensibility. This practice grew out of a heavily regulated industry, two of them, who were told exactly what to do and how to do it. Now that we’re talking about reasonable security measures, there is no universal definition for that. It’s going to be defined for each company by their size, by their industry and by their risk.Cyber gap problem can only be managed through training. Click To Tweet
We know that small and midsize businesses can’t use the Wells Fargo data protection system. They don’t have the resources for it. When you go through an assessment like the one that EOS Edge Legal offers through CyberGaps, you have an opportunity to decide how to deploy those financial and human resources in ways that are going to yield better value than simply throwing money at the problem. We do view this as a tool to help clients get to a place where they not only understand their risk, but they also have a path forward. They haven’t been told this is an insurmountable problem that you can’t afford to manage.
We hear this migration to the Cloud. “I don’t have it on my server anymore. I have it on Amazon,” or wherever you have it on. A major social media provider found a bunch of identifiable information on the server. For the business that’s doing an application-based or doing Cloud-based business, talk about what you guys are doing to address that issue.
CyberGaps is holistic. It matters in the analysis because we are looking at a different environment, but the process is the same. It’s still the fundamentals. It’s still blocking and tackling. For example, you have an outsource relationship, a Cloud relationship. Who’s got responsibility for what? Who’s observing compliance? Who’s responsible for compliance? They’re still looking at the subscriber agreement or the service-level agreement, the transactional elements to make sure that you understand who is managing risk?
The risk doesn’t shift to the Cloud. As Ed was talking about earlier, employees are a real source of risk in this field. It’s not because they’re all malicious. It’s because they click on emails that have attachments and the Cloud won’t protect you from the employee who gets the urgent email from the CEO that says, “I need you to run out and purchase gift cards right away and send me the numbers.” It doesn’t help. The employee is the problem. That problem can only be managed through training. When you go through an assessment, you start to understand better what level of access do employees have? Are we segregating the information the employees have access to according to what each employee needs? Are we providing the training so that the employee understands that this is not an IT problem? This is not a problem that resides with the people who know everything about computers. This is a system-wide defense system and every employee needs to participate in.
There are so many devices. There are all attack vectors. That’s not a term in the trade. People are getting in that way. My phone is a device. Unless you’re operating on a netbook, which has no content essentially, all your contents are in the Cloud, people will download. There’s personally identifiable information or other sensitive information on devices all over the place.
You look at this as a business owner. I’ve had an attack on my information from a crypto blocker. I’m maybe more sensitive than those that haven’t been hacked yet. When you guys did this alliance, with law side over here and the practical side over here, is that a great way to characterize it properly for the strategic alliance that you put together?
That’s roughly correct. I would say with Doug in particular, he’s a bridge between the law and the technical side. When we delegate to a client project or responsibility, his team comes in and does the technical assessment. Doug definitely participates in the analysis of, “Are you compliant with whatever your duties may be?” If those duties happen to be reasonable like Doug was explaining, it’s being able to show objectively through the math-based model that a client is pursuing a path toward better protection. That’s going to be the best defense. Not just if there were a lawsuit later because I don’t think this is about lawsuits.
This is about keeping your customers, keeping your clients and keeping your employees. What you want to be able to do is say, “There’s no preventing this problem.” Most people accept that proposition now. If you can go back and say, “What I tried to do was take these steps and I did those things that I was told through a math-based model should be those that are best steps for me to take. I had deployed the resources in that manner.” It becomes harder to be critical because you happened to be the target of an attack.
If I’m in the C-Suite or I’m on board, I’ve got to report to shareholders. You think about cybersecurity, how should they frame this discussion? What should they be doing or the questions they should be asking either of the people that report to the board or the people that report to the C-Suite, what should they be doing?
It is somewhat of a mind shift. As Hilary said, it’s not something that they should focus on as a litigation risk because as we know most business owners are focused on how are we running the business? How are we satisfying our customers’ needs? How are we going to do a better job of increasing our customer base and servicing our customers going forward? We’re moving into a realm of reputational risk. If we aren’t doing the things that our competitors are doing, our competitors will be taking our business sooner than later because we’re going to have a data breach, a reputational risk and harm that comes from that.
We know retailers that have had problems, not necessarily their own and at some instances their vendors who they didn’t properly vet caused the problem for them. Again, it’s this holistic approach of looking at the company. Take a look and see, we’ve been using some military terms, what are the attack vectors? What’s our surface of attack? Each mobile device is a surface of attack. Each employee is an entry point. The management needs to take a look at it. It doesn’t have to be a large company, the single business owner. They should designate at least one person who’s in charge of what are we doing and what are we doing to cover or lessen the attack vector. With either a committee or that individual, you start to take a look at where are we, what’s the low hanging fruit in our company?
Through the CyberGaps tool, you can see on the dashboard if we do additional training, it does reduce the risk that our company has, that our employers are going to click on malicious malware that’s going to download through a PDF, where they’re going to send out money because they didn’t recognize that an email came in that wasn’t from the president of the company. It was from an email that looked very much like the president’s email, but they didn’t look at it closely enough. They sent out $1,000 worth of Amazon gift cards. Those are all kinds of things that we’re looking at. Overall, management needs to see what they can do to lessen their risk. It’s also important for management to understand what some of the costs are associated with a breach.
There’s a report called the Ponemon Report. This entity has done at global research on the cost associated with a data breach. This brings in larger companies, but the average data breach cost is about $3.8 million to $6 million. That includes your reputational harm, loss of customers, the cost to get customers back and the fix that is required inside. If you have a ransomware attack and it’s done on all your servers, you may have to replace all the servers. You’ve got a loss of business in the ten-days, two weeks, whatever it takes to restart the business. You have to have IT spend to rebuild your network, get your laptops back on.
You’ve got a product that’s in transit, you don’t know where it is. Your customers want to know where it is. You have data that’s gone. All of these things impact it. There was a financial advisor that had essentially twenty years’ worth of client data, including dead clients, old clients, gone clients and had a breach. What did they have to do? They had to send out notices to all of the clients, “We had a breach.” Reputational harm, some of them were dead and their children are like, “Why did I get this? Is my dad’s information out there?Being compromised, being breached can happen to anyone. Click To Tweet
For a malicious attack, the cost per record is around $207 per record. If you’re not managing your data properly for the current client base, you have 3,000 clients rather than twenty years’ worth of clients, which is 20,000 clients. You’ve increased your costs tenfold. We’ve talked about the human error employees clicking on things causing problems. That’s about $170 per record. An error in your system is about $160 so if you’ve got bad software, bad coverage, things like that. There are these costs that management can take a look at and say, “Here’s the reason why we ought to be doing these things to at least increase our protection.”
I was thinking about it as an insurance company trying to come through and price insurance to a particular business. You’ve got 5,000 customers or you got 20,000 customers and I’m thinking about that would be a unique business proposition to try to figure it out. If they price it on a per head basis, how in the world can anybody afford it in a small business world? Thinking about that, Hilary, we were going to talk about reputational harm. I’m thinking about Equifax. That’s their business. What they say was there was enough records breached that was pretty much everybody in the United States.
That’s my understanding.
What do you think?
There’s a couple of different levels there. Equifax obviously survived because they compete in a world where there are a few other large credit reporting companies. They had the resources to deploy in order to manage that breach as best as they could. All of the statistics and studies show that when you don’t have unlimited assets and you are in a competitive environment, a breach is something that can cause what’s called churn. As Ed was explaining, it’s the loss of customers who simply choose to go somewhere else because their reaction to something that happened to inside your networks wasn’t resolved and you’re not able to adequately explain. What the studies show is that those businesses affirmatively look at what information do I have? How am I storing it? Am I getting rid of it appropriately as far as both timing and the manner of disposition? They’re in a better headspace to deal with a breach.
Because again, they can go back and explain, “We did what we could and here are the steps we affirmatively took.” Going back to how does all of this work into a smaller bid-size business environment, we want to take away the piece you spoke about that. It’s so daunting that we ignored it. We want to make sure it’s something that is identified as a risk and that instead of reporting you’ve got issues, you’ve got obligations and good luck figuring out those issues and obligations. The CyberGaps assessment allows the small business to go through and do that real holistic look at what are our data protection issues, how many individuals records do we have? If I’m running an apartment complex that’s been around for 50 years, do I have rental applications with Social Security numbers from 1986? Maybe I can lower my risk by making sure that we’re not keeping those records either paper or electronically because they’re no longer reasonably necessary.
It does give you a focused period of time where EOS Edge comes in and does interviews in order to help you inventory where you are and what you can do. You walk away with a plan towards doing better. Once you take away the daunting nature of this problem and look at it as businesses look at every other risk management issue that they deal with, it becomes so much more manageable. We can talk about it on all sorts of fronts. The beginning of the analysis is where are you now and what can you do affirmatively, including assessing of the risk and perhaps insuring it. There’s a lot of ways to manage this very daunting task that can make it not only less daunting, but something that becomes a value adds for you as a business, your clients and your employees by having gone through a process in meaningfully addressed and considered the problem.
I can add one comment to the Equifax piece from another angle on it. It demonstrates that it can happen. Being compromised, being breached can happen to anyone. I say that because they’re presumably highly secure. They’re in the security business in some respects and yet they got hacked. They’re not the only one. There’s a lot of organizations in the security business that have been hacked. You could argue that they were targeted. Fair enough. Without naming other incident but describing it, there’s an App Marketplace for the apps that we download on our phones. The App Marketplace had malware apps for sale that were available. The point is what if an employee might have downloaded or might in the future download an app. It is ubiquitous. The risk is ubiquitous. The key point here is that its a risk. All risk can be addressed if leadership is involved and you put certain practices, procedures, governance in place.
If I’m the business owner that just got hacked. My first call is typical to either my wife or IT, one of the two. You go, “I cannot believe this. Call IT.” Once you get IT involved and you go, “Never again.” What would you guys recommend as the next steps?
IT is always called. Either the cyber law practitioner should be called before that or coincidence to that because this is now a best practice. Every insurance that offers cyber insurance, every one of them, their practice is to deploy a law firm first. Who’s ultimately the payer? The insurance carrier. If they looked at this risk and said, “We need to employ a law firm that tells you something.” They’re looking to reduce litigation risks down the road. If it becomes a data breach and there’s litigation. Having the attorney-client privilege involved or the work product privilege is an important component of how you respond to an incident.
I don’t think anybody is talking about that.
The insurance industry is for sure. We are definitely in that space. I’ll take it one step further, which is before you’ve had the incident and this is something that we do with CyberGaps assessment and preparing companies is you ought to have an instant response plan. Hitting the fire alarm and having the team show up and first have to find the place trying to figure out what water systems or electricity is, that’s not the time to figure that out. Have this stuff in place beforehand so that if you do have an incident, the triage team goes in quickly and hopefully can reduce it, can stop it, stop the harm, stop the bleeding and handle things professionally quickly.
We’re going to segue way into your favorite buzzword, cyber hygiene.
It’s a buzzword. It’s a great word to get everybody to understand that you have your daily hygiene in life. That helps keep you healthy. Cyber hygiene is what’s going to help your company stay healthy. There’s a couple of groups that have done studies. One is the Center for Internet Security and the other is the Council on Cybersecurity. They’ve found that by putting good cyber practices in place, which is training your employees and things like that, can reduce the risk of an attack or a breach, not necessarily an attack, but a breach and a loss by 85% to 90%. It’s going to those employees. You take a look at what’s connected to your system. One of the first steps is to assess the inventory of devices that can access your system. How many printers do we have that are Wi-Fi? Do they have a password? What are the portals that we have in our network? Are they secured behind a firewall? What are our passwords? Inventory the passwords. Do we have password, one, two, three, four, five, as many people’s router comes to them.
Being compromised, being breached can happen to anyone.Being compromised, being breached can happen to anyone. Click To Tweet
Admin is always a good one.
Admin is a username and the password is 12345. How many people would leave that open whether it’s at home or their business? Once you’ve done that inventory of your devices, you need to assess the access. The next step is developing awareness with your employees, not just your IT employees. Everybody in the company as to what the risks are to the company, to the clients and the reputational harm. The next piece is preparedness. Do you have an incident response plan in place? Another way to address it is to have what they call a tabletop exercise where you sit down with your key people and you say, “Assume we had a breach, what’s the first step? What are we going to do?”
Before we go further, if the guys are going, “I give up. I’m at risk. I need to call you guys.” How do they find you? What should they do?
You can Google any one of our names. Take a look at Lewis Roca Rothgerber. Our website is www.LRRC.com. We have a page for our Cyber Group. We have all of our contact information on that page. You could contact Hilary. You can contact me. You can contact Bill. Doug’s information is there as well. We’re available at any time. We’re more than happy to talk to people and we can talk them through some of these steps. Here’s what you need to start to think about. One easy tip for anyone is if they are going to put a plan in place, print it out. It’s a simple practical idea because if you have your incident response plan on the computer and it gets hit by Ransomware, you can’t access your computer. What are you going to do?
I’m a business owner. I’ve already got an attorney. Why would I want to call you guys?
There’s a couple of comments. First of all, in cyber, this is not talking about lawyers, this is broadly about cyber. It’s so hot right now that if anyone in the industry has been in the military, been in homeland security, been in IT, been in other kinds of security, they now have a cyber title. It’s taken ten years of practice in the military and elsewhere to understand what the cyber risk is. I like to call it a cyber risk because it’s a translation of incidents and intelligence into meaningful advice to a client and translate it into legal terms or business risk terms. Increasingly, with the nature of the tax getting sophisticated, it’s this hybrid of understanding that tech ecosystem. It’s having relationships with law enforcement as well as government and connections throughout the industry. Those are features that we bring to the table.
The thing I think about is this push toward IOT, the Internet of Things, which we were talking about before. You got a smart refrigerator and it goes, “You’re eating too much.” I’ve got the smart Alexa or whatever it is or the Dot in your house. Every other thing in your house is supposed to be connected. How do you guys see that with your approach to business? What is it going to take to start to migrate to the homes as well?
It’s an attack vector. If they get into the router, that will change the equation. We’re not typically talking personally identifiable information or data privacy. That certainly could happen. It’s more of involving devices into botnets. Botnets are networks that used to take other companies off the internet, using them as part of a network and having the bandwidth. We have so many near-term problems. There’s the internet of things, trade groups and the government, smart energy, smart this, smart that. It’s not that we’re not interested in that. There’s only so much that we cannot focus on.
It’s a low hanging fruit. Where’s the biggest risk first?
Data privacy, there is a trend globally about protecting data privacy. That’s what we’re primarily interested in.
I’m an old Intel guy too. When I think about the electrical grid, the challenges within the electrical grid and pretty much any infrastructure item, I don’t know where they’re at, but I suspect they were ahead of many of the smaller businesses on that. In looking at it, what advice are we getting as an industry or you from the three letter agencies, in this case, we’ll use the FBI?
The FBI, they are tracking cyber theft. One of the big areas that applies to probably almost any person that’s going to read this is the theft of money over the internet. Whether it’s through something that they’ve downloaded or for any homeowner, one of the hottest areas right now is stealing the closing proceeds for home closings. They’re not hacking into Wells Fargo. What they’re doing is they’re going to the real estate firm, the appraisal firm, the closing title agent, the closing office. They’re all sending emails back and forth about what the closing date is. They’re all sending emails that may include a closing checklist, that includes the name of the bank and the bank number, the account number and the routing number, where the money’s going to go. The hacker can sit inside the email system and watch for closing to happen. What did they do next? They spoof an email address. It looks like it’s coming from Ed Barkel at LR Law.
For spoofing an email address, let’s say my name is Bob Roark. They’re going to spoof an email. Do they add a letter or something else to make it look the same?
For my name, the last letter of my name is an L. They could use a capital L or a small l or if you had an “i” in your name, change it to an l. The capital I looks like an L. Run that right through. It looks like the right email. We did have an incident with a client. We were lucky to capture it. They changed the email address from our firm name. They put a hyphen in between the person’s first and last name instead of a dot. By doing that, it looked like the email address. They came in and said, “Send the money to this new bank. We’re having a problem with our old bank account.” Luckily somebody picked up the phone along the way and said, “Why would they be changing bank accounts at this late date?” Everybody knows this closing is going to happen. They saved it. What’s happening with the closing transactions is now you’re ready to close and everything happens.Cyber hygiene is what's going to help your company stay healthy. Click To Tweet
Somebody looks at their accounts and says, “Where did the closing proceeds go?” It’s something that can happen to everybody. The tips from the FBI are when you have a transaction, have what they call an out of band authentication process. If you and I are going to transmit money tomorrow, I don’t send you all of the closing information. When I send the account number, I might call you on the phone and say, “Here’s the account number, read it back to me. That’s where the money is going to go.” We’ll do confirmation in a separate way. Maybe you have a password that you’ve exchanged ahead of time offline. When it goes through, you’ve got that keyword built into the emails. The other person knows this is authentic.
There’s a methodology of sending secure.
Encryption, there are different services available where you can upload a document through a secure server. It comes out the other side encrypted. You mentioned folks have encryption devices where you can do that encryption. Those are all steps that you can use. Another way is let’s say that you get that closing memo time to reply. Instead of hitting the reply-to-all button because that you can now reply to the spoofed email, go ahead and start typing in the email addresses that come up from your email data bank. You’re going to get the right email. It won’t be the one that’s got the capital L for an “I” and things like that.
The FBI also recommends using what they call two-factor identification. You may have seen it with some of the Google accounts and things like that. If you want to do X, we’re going to send you an authentication code via your cell phone. If you have accounts where you can enable that, do that. That’s a key step in avoiding problems. Train employees to delete spam. If an employee sees something that looks like it’s fake, report it to your IT people. My wife and I both received the text message that said, “This is a message from your bank. Your account is now frozen. Click on this link.” I immediately sent her a message, “Don’t do it. If it’s from a bank, it would be an HTPPS for secure.” It was not.
For the folks, there’s a small five-star tip.
Your bank is going to use secure servers and websites. Those websites after the HTTP, before the colon slashes, there’ll be an s. If it doesn’t have an S, it’s an unsecured website. At the very end of this string, it wasn’t dot com. It was dot CL. I looked that up. Why would my local bank be having me contact somebody in Chile? It’s obviously fake. Luckily, she didn’t click on it. I didn’t click on it. We’re good. With the employee training, one small thing that some companies have their IT department do is, when an email comes in, have a banner added that says it’s an external email. You’ll see it from a lot of financial institutions, they do this.
It becomes more obvious to an employee that this is a fake email because the president would not be sending an email from his company address that shows up as external. I have a red flag. Train employees on that. Don’t click on links. There are other simple ways it may look like our firm website might be the link. If you hover your mouse over that link, you’ll see what the underlying address is. Those hyperlinks, you’ll see all the information. If it looks goofy, again, don’t click on it. What the FBI is saying is pay close attention, train your employees to watch out for these kinds of red flags that are out there.
Do you see much risk to the cell phone world on hacking right now?
Most companies or a lot of companies have brought your own device policies where you’re allowed to use your phone in order to access servers. That’s yet another attack vector. I will say a benefit that comes with that is many companies also require that you have pretty strong passwords on the device. The device itself is not as at risk as it would be if it were given to a teenage girl who forgot to put a password on it. Cell phones are still a vector. They are still a serious vector. To Ed’s point, a real benefit to them is the ability to do two-factor authentication. When you get the email back that says before you can proceed into your account, you’re going to have to enter the six-digit code that’s been sent to you.
That’s only possible if the person who has made the request for the information has got both the access to your account and your physical phone. It does reduce risk by taking the authentication process away from a hacker who’s able to get whatever information he or she is able to divine from the inside of an email system or a network to also require that the entity who’s accepting the information verify that there is a physical presence. There’s a phone that’s been associated with me personally. They won’t let me go forward without that code. It’s inconvenient. Doug would say that a challenge in this space is that anytime you were adding more security, it’s no longer as easy. One of the things we see is passwords reused or my favorite, having your password be the same for every single account you’ve ever had. While that’s convenient, I won’t forget it. It was easy. Once you get my password, then you get into every account I have and to mimic me if you would like to.
For the business owner, it sounds like I can offset risk to the extent that I can. What other tools? There’s business risk insurance, cyber insurance. What should they be thinking about?
The first thing is for businesses to pay attention and take ownership of the problem. There was a report out a few months back that indicated that US executives saw cybersecurity is one of the top three risks but labeled as external risks. When they are asked the same question or a similar question about what they’re concerned about protecting data privacy, they put it down around fourteen at the end of the list. What I read into that is they didn’t embrace it as their own problem. They saw it as an external thing. The state actors say it must be the government’s problem or “I’m not in this space. I’m not being targeted.” The key thing is for leadership management to be engaged.
I want to use that topic heading to talk about a couple of things that Hilary and Ed mentioned in this context. One of the things that management can do is create a culture of security. We were talking about cell phones. We pick up the phone. I have a phone in my hand. This is my personal phone, so I trust it. It’s still a computing device. There’s data that comes across it. We can’t because we trust the device or we liked the device or it’s my device. That shouldn’t translate into, “I trust everything that happens with it.” We have to remove some of the trust. Another example is looking at the internet as a high crime neighborhood because it is. If you had a business in a high crime neighborhood, you wouldn’t be advertising in the windows what you have inside.
These are ways that we train employees to create a culture of security except that to be more secure, it may be less efficient. It’s a tradeoff. If you want to protect data privacy, if you want to ride along with the trend and improve your business prospects, have a better reputation and reduce risk, these are things that business leaders need to do. On a more practical side, we mentioned already the instant response plan. That’s important. It depends upon the size of the business, whether it’s a management committee that meets regularly and addresses cybersecurity or putting someone in charge. Who’s responsible? Empower that person and give them a budget. These are some things at a management level that are important. You also asked about insurance. Hilary is going to talk a little bit about that.The human element is the biggest variable that any company has. Click To Tweet
Insurance is a piece of a risk management profile. It’s a backup system. If something goes wrong, then you have insurance hopefully in place at an adequate level. This is going to reduce the financial harm of an attack. The information and the risk that it creates exists through the lifecycle of the information. You need to look at risk management from an intake perspective, from a perspective of what’s happening to the information while it’s here. Make conscious decisions about when is it appropriate to dispose of the information and how do we dispose of it appropriately.
If you manage those three front end risks, then you hope you don’t get to the insurance. The insurance should not be your risk management plan. That plan means something’s already gone wrong. You’ve got to look at this life cycle and manage the risk. I do believe insurance is an important component of it. For a lot of businesses, they’re finding that their insurance brokers have identified this risk and are suggesting cyber insurance. It’s the cyber insurance application process that’s educating them about the need to understand this lifecycle of information.
I think about the business owner and they go, “I want to look at your risk. I haven’t done anything that’s going to cost you more. I’ve done a lot that’s not going to cost you less.” From the business owner’s perspective, like everything else, I’m going to manage the expense of doing that.
Insurance is financial protection. I want to make sure that we leave this. A real risk and we think probably a more significant risk for many businesses is the reputational harm. The insurance piece isn’t going to solve that problem.
We’ve covered a lot of waterfronts. For the business owner out there is going like, “It feels a little bit hosed down maybe, they should reach out.” I would say that the biggest risk that they have is not reaching out to you guys to at least have the conversation. Once that conversation goes on, then they moved to the next step, whether they’re going to engage or mitigate. We’ve talked about a lot. Is there a topic that I failed to ask that we should be talking about within this space?
I’ll circle back on two things that you mentioned before. One is differentiation. Should they go to the local attorney down the street who did their trust and maybe did a key man insurance plan or something like that? They’re probably not going to have the background and the information available to give them information that they need or help them build that plan. What we bring to the table is Hilary’s got over twenty years of experience in the insurance arena. Hilary is very familiar with many of the cyber policies that are out there or at least the key elements of them. One thing that’s a little bit daunting from that side as well is figuring out does your policy covered the things you need.
None of the policies are exactly the same. It’s not like a term insurance policy where all the terms and conditions have been hammered out over the last 50 years. Each company has a little bit different set of terms and other things like that. I had a client that thought they had cyber insurance. What it turned out was each of the two owners had $15,000 worth of coverage if it was their own personal information that had been stolen, but it only applied to one of the two. Whoever was first to report would get the $15,000 of coverage. They had no idea that what they bought was far less than if they’d gone on to Lifelock or Costco and bought a policy for themselves and would have $1 million worth of coverage from the same price.
We can look at the insurance policy. One of the issues is that a straight cyber policy that you need to cover, do you need some coverage in your D&O policy for your officers and director? Do you need property and casualty coverage? If your servers get locked up by Ransomware and they’re toast, do you buy those out of your own pocket or do you have coverage for that? Errors and omissions, if you were negligent in maintaining it, would it be covered there? Maybe, maybe not, depending on your profession. We’ve got all of those things.
Bill and I had been in the financial services industry. We’ve been dealing with Gramm-Leach-Bliley, Regulation S-P and Consumer Data Protection in the states are branching out in covering much more of that information. We can also advise as to whether you need to report what may look like a data breach. You may or may not have to report it to a state regulator. There’s a lot of those different things that come into play. We think we’re positioned to help our clients out, large or small. I think the smaller folks are the ones that we’ve been talking about all day, don’t know what they don’t know. It’s that unknown that we can help them figure out.
For the audience, we talked at a time and people go, “Why do you have these guests on the show?” It’s the unseen risk and back to your comment. At a minimum, the Cyber Gap side says you may not know where you’re at, figure out where you’re at. Take a look and go, “What’s the risk, what’s next steps?” Reach out to you guys and get that part taken care of. For the business owner who goes, “That’s one more expense,” I’ll go, “No, if you look at a value gap and you’re getting ready to sell your business, you’ve got nothing done.” You go, “That’s a challenge.” It helps the business owner increased the value of their company. It’s good business. I can’t tell you how much I appreciate you guys coming in and talking about this issue. I honestly don’t know what it’s going to take for it to become more widely adopted, understood and considered for the business owner. We’ll certainly go to be doing our part to try to get the word out.
We would say please visit our website, www.LRRC.com. You’ll see an example of the CyberGaps tool. We can also make arrangements for a demo. I know it’s one thing to read about what it is but understanding what the product is and the outcome is very helpful.
Take the next step. We’ve talked about it. We have some good tools, a lot of know-how and we’re looking to help solve some problems.
You put it on the to-do list, move it up.
The last thing that I would add is the human element is the biggest variable that any company has. Many studies have shown that saying what your policy is isn’t enough. You need to do testing and get your employees involved. We can help put together an email test program where you send out a fake email. You can track which employees are your risk quadrants because they’re clicking on everything and potentially downloading all kinds of harmful stuff.
I don’t sometimes know if the employees attach the meaning between profit in the company and job security. You’re thinking about the profit of the company and you go, “We’re at risk to you surfing around the internet and downloading weird stuff,” finding out that you have a $4 million policy coming in from somebody in South Africa. You didn’t know all of those things. At the end of the day, if you blow the company up, your job’s gone. Most employees don’t understand what part profit has to do with job security, benefits, vacation and health care.
There are stats out there show that the after-data breach in small business more than half goes under.
That’s a grim number. You’re the small business owner and 80% of your net worth is tied up in your business. You have the data breach. You have a cybersecurity problem. It’s almost an irrecoverable error. You go, “I’m going to work until I die.” It’s a big challenge.
If you still have a place to work.
Thanks so much. I appreciate it.
Thanks for having us. We appreciate it.
- EOS Edge
- Lewis Roca Rothgerber Christie
- Ponemon Report
- Center for Internet Security
About Doug DePeppe
Doug DePeppe is an attorney and the founding member of eosedge Legal, and is a Strategic Advisor to Lewis Roca Rothgerber Christie LLP’s Data Protection and Cyber Security practice. A retired Army JAG officer and cybersecurity attorney, Doug has been centrally involved in national-level and leading commercial cybersecurity initiatives for over a decade.
Doug specializes in advising clients on all matters pertaining to cyber policy, liability, strategy, incident response and other business issues. He offers expertise in all facets of the law and public policy for the cybersecurity challenge, in both commercial and government spaces.
Doug applies his deep experience, including service under two White House cybersecurity initiatives, to help businesses mitigate growing exposure from cybersecurity threats. His portfolio of security projects includes:
- Data breach response
- Privacy policies
- Data Security compliance
- Cybersecurity legislation
- Forensics analysis
- Cybersecurity plans for national and international engagements
- Cyber-threat information sharing frameworks
About Hilary Wells
Hilary Wells is a partner in the firm’s Litigation practice group and serves as the chair for our Data Protection and Cybersecurity team. She has represented a wide-range of businesses including banks, financial advisors, private equity companies, insurance companies and health care providers. Hilary has tried cases in federal and state court as well as in arbitration.
Hilary regularly consults with and advises clients about data protection and security matters. She guides clients through increasingly complex regulatory and statutory requirements for collecting, processing and protecting personal information. She helps clients implement and enforce privacy policies and properly respond to data security incidents.
Memberships & Affiliations
- American Bar Association Tort & Insurance Practice Section Life Insurance Committee, Chair
- PLUS Professional Liability Underwriters Society, Member
- Colorado Women’s Bar Association, Member
- Colorado Bar Association, Member
- American Bar Association, Member
- International Association of Privacy Professionals, Certified Information Privacy Professional
About Ed Barkel
Ed Barkel is the lead partner in the firm’s Securities Litigation practice group. He defends broker-dealers and individual brokers in arbitrations and litigated matters. A significant portion of his practice is devoted to defending independent financial services firms and their advisors. He also provides consulting services in compliance-related matters including supervisory system design, special investigations, special supervision programs, branch office examinations and regulatory mandated consulting. His securities industry background enables him to offer unique “insider” insight, knowledge, experience and understanding to clients.
Ed is also a partner in the firm’s Litigation practice group and is a member of the firm’s Data Protection and Cybersecurity team. He regularly advises broker-dealers, investment advisors and insurance companies on privacy under Regulation S.P. Ed also consults with and advises clients about data protection and security matters. He guides clients through increasingly complex regulatory and statutory requirements for collecting, processing and protecting personal information. Ed also helps clients implement and enforce privacy policies and properly respond to data security incidents.
Ed worked for eight years in the securities industry before joining Lewis Roca Rothgerber in 2002. Ed has been Senior Vice President, General Counsel and Chief Compliance Officer for a mid-sized broker-dealer and prior to reentering private practice was the Associate General Counsel and an Assistant Director of Compliance at SunAmerica Securities, Inc. He also spent two years as a securities registered representative before moving into management.
Ed held several securities licenses including, NASD Series 7, 24, 63 and 65. Ed also held Life, Health and Variable Insurance licenses and has acted as an expert witness in securities arbitration matters.
Prior to entering the securities industry, he spent six years in private practice concentrating on mergers & acquisitions, general corporate matters, securities, and litigation.
Memberships & Affiliations
- Certified Exit Planning Advisor (CEPA)
- PLUS Professional Liability Underwriters Society
- Financial Planning Association, Member
- Securities Industry Association Compliance and Legal Division, Member
About Bill Nelson
Mr. Nelson is a partner in the firm’s Securities Litigation practice group and a member of the Data Protection and Cybersecurity team. His practice is concentrated in the area of securities litigation, securities arbitration and regulatory defense. Mr. Nelson represents broker-dealers, registered investment advisors and individual securities professionals. Mr. Nelson has been involved in more than four hundred arbitration proceedings, as counsel and as an arbitrator, before FINRA, NASD and AAA. Mr. Nelson has represented clients in injunctive cases in various courts involving non-competition and non-solicitation agreements. He has represented clients in investigation and enforcement actions before the SEC, FINRA and various state regulators. Mr. Nelson also represents businesses and employers in employment matters including defending and enforcing restrictive covenants, wrongful termination issues, discrimination issues and handling matters before the EEOC and its state counterparts.
Mr. Nelson also serves as a mediator in commercial law business disputes.
Mr. Nelson spent six years as Associate General Counsel to a New York Stock Exchange member firm where he had both legal and business responsibilities. He held various securities licenses including registered representative, general securities principal and branch office manager. Mr. Nelson has also acted as an expert witness in securities arbitration matters.
- Lewis Roca Rothgerber Christie LLP (legacy firm Rothgerber Johnson & Lyons LLP), 1999-Present
- Slivka Robinson Waters & O’Dorisio, P.C., Shareholder, 1991-1999
- Kemper Securities, Inc., Associate General Counsel, 1990-1991
- Boettcher & Company, Inc., Associate General Counsel, 1985-1990
- Moye Giles O’Keefe Vermeire & Gorrell, P.C., Associate, 1982-1985
- United States Tenth Circuit Court of Appeals, Law Clerk to the Honorable Jean S. Breitenstein, 1981-1982
Memberships & Affiliations
- Colorado Springs Chamber of Commerce and EDC, Board of Directors, Member and Governance Committee Chairman
- Colorado Springs Pioneers Museum, Board of Directors, Member and Past President
- City of Colorado Springs Community Advancing Public Safety, Leadership Committee, Member and Past Chairman
- University of Colorado Foundation, Board of Trustees, Member
- THEATREWORKS University of Colorado at Colorado Springs, Advisory Board, Past President
- Colorado Springs Downtown Business Improvement District, Board of Directors, Member and President
- Colorado Springs Downtown Partnership, Board of Directors, Member
- Fire Foundation of Colorado Springs, Board of Directors, Founder, Member and Past President
- The Colorado Springs School, Board of Trustees, Past Chairman
- Pikes Peak Amateur Radio Emergency Service
- Securities Litigation Commentator, Senior Contributing Editor
- Securities Arbitration Commentator, Board of Editors
- El Paso County Bar Association
- Colorado Bar Association
Love the show? Subscribe, rate, review, and share!