The following article was made available and moderated by Ray Paprocki, publisher and general manager at Columbus CEO. In this article, Ray interviews Tom Skoog, the Cybersecurity and Data Management practice leader at Blue & Co., LLC.
Columbus CEO Virtual Roundtable: Cybersecurity
The U.S. government recently blamed the Russians for a major hack of federal agencies and large companies by compromising software made by Texas-based SolarWinds. Some have called the massive breach the Pearl Harbor of American IT.
This cybersecurity crisis is just one more reminder that business owners and executives should focus intently on protecting their data and networks.
Columbus CEO discussed key issues involving cybersecurity with representatives from Affiliated Resource Group and Blue & Co. during a virtual call on Feb. 2.
Here is an edited and condensed version of that conversation. Transcript provided by PRI Court Reporting.
Ray Paprocki (CEO): What can businesses learn from the SolarWinds attack?
Michael Moran (Affiliated Resource): This is just an example of things that have been going on for a long time. If you look back to last year, FBI Director (Christopher) Wray stated that half of the ongoing investigations the FBI was looking at had to do with intellectual property theftâit had to do with access and cybersecurity issues.
Executives rarely ask IT professionals what are the tools that you use to support and manage the business. I think they need to have an annual risk assessment. They need to start looking at their IT operations, not from a negative but, hey, where might we have some holes that we can protect.
As an executive, you need to be asking more questions about the status of your IT. Many executives arenât comfortable with IT, so they assume itâs covered. You have to ask. And then I think that executives need to inspect what you expect. If youâre expecting your organization to be protected, how is your team doing that?
Thomas Skoog (Blue & Co.): What organizations can learn from this is they really need to make sure that theyâre managing the risk of their vendors. Imagine if what happened to SolarWinds happened to Microsoft, or to Apple, or Adobe, or SAP, or Oracle. And itâs also not just software that this can happen to. There have been several examples of microchips being infected with malware inside of hardware.
So what are some reasonable things that you can do? I think the ïŹrst is to acknowledge that this happened, and it can happen again. Second is to understand from your software vendorsâyour key software vendors or other key parties that can have an impact on your network and your systemsâwhat protections have they put in place to identify and detect and respond to this type of supply chain attack.
And ïŹnally, I think you need to have a quality backup strategy and test your restorability of that plan. And that you have got to change your paradigm from not if weâre breached, but rather when weâre breached and have well thought-out plans that are tested to respond to that breach.
CEO: What are a handful of key questions leadership should be asking, and what are the answers that might cause them concern?
Skoog: Are they setting the appropriate tone at the top about security? Do they have an appreciation for the sensitivity or the conïŹdentiality of their data if the data was lost or the integrity of the data was compromised? What kind of impact is that going to have on the business?
From there, I think they can start asking the questions about what are we communicating to our employees about the criticality of that data and setting that tone at the top so that employees realize they need to properly protect this data because itâs vital to the survivability of the business.
And I would ask the IT folks what is being done to properly protect our data. I think this is where itâs probably advantageous toâespecially for a small business that is relying on a single IT personâto look outside your business for some help. It might be just simply, hey, what are the 10 or 15 questions I should be asking my IT person, and what kind of answers should I be expecting? Your accounting ïŹrm should have somebody that does that.
Moran: What are we trying to protect? Some companies, theyâre trying to make sure theyâre protecting their productivity, because they donât want any down time from their systems. Other companies have to balance protecting their dataâfor example, companies who work with consumers, in the health care or ïŹnancial services industriesâand protecting the productivity of their systems. Others have intellectual property theyâre trying to protect in addition to protecting their productivity.
Are our systems prioritized? Then start looking at what are the threats to our organization. If you donât understand that, you canât have a level of protection for that. How comfortable are we with our ability to detect and respond before itâs too late?
And then there are questions about an incident response plan. How are we going to respond when something happens? When did we have our last risk assessment? When we start with new customers, thatâs one of the questions we ask, and very rarely have they had a risk assessment done in the last two years. And I think in todayâs environment thatâs a risk.
Skoog: Itâs important to make sure youâre asking those kinds of questions to the right people. Itâs the CEO, the CFO, the owner. I donât think you can rely on your IT person unless theyâre having several conversations with those executives to answer those.
Moran: I did a presentation about a year ago and it turned out about 80 percent of the people in the room had HIPAA regulation requirements, and they didnât even realize it until I asked and then explained it to them. And there were some very interesting looks among people in the room, like holy moly, weâve got some work to do.
CEO: How has COVID-19 impacted cybersecurity?
Skoog: Since COVID, thereâs been a huge uptick in ransomware attacks using COVID as the guise for whatever the scheme is that the hackers are using.
I think another thing that weâve seen early on when a lot of companies went remote was they werenât prepared to have an entire workforce go remote, so they had employees using home PCs to access their network, and those home PCs didnât necessarily have the protections on them that their work PCs did. Most of those companies went ahead and procured laptops and then conïŹgured those laptops appropriately.
And I think a lot of companies have been pleasantly surprised that moving to a remote environment wasnât as difïŹcult as you might expect it to have been. The investments they had to make were maybe not quite as onerous as they thought they would be.
Moran: Between January and early February (2020) there were like 1,200 URLs registered that had a tie to COVID or coronavirus worldwide, and youâve got to believe that not all of those were done for a positive registration.
Longer term, weâre working with organizations now that are trying to look at their infrastructure and their networks and determine how are we going to handle this potential quick ïŹip of what goes on in case something else happens. What is their strategy with their infrastructure? Are we able to make quick changes like we had to do there? Are we in a position to help support those things?
CEO: We all know the importance of training. Are there any examples that prove to be most effective in getting people not only to understand the information, but also to apply it beyond the training session itself?
Moran: Itâs regular training and then itâs also reminders via simulation. Itâs maybe a 15- or 20-minute video they have to watch with a little quiz that follows it. And then they get, on a regular basisâand in many cases itâs speciïŹcally tied to not only their role in the business, but the department theyâre inâphishing simulations. Where they get attempted emails to go through. You ïŹnd out who some of the folks are that are risky clickers.
Skoog: Find that line of not over-communicating, because at some point people will start shutting that off. But also not under-communicating the importance of good cybersecurity practices. And just doing it annually is certainly under-communicating.
CEO: Is there anything that we havenât addressed that you think is important that you want to share?
Moran: Youâve got to have a response plan put together as an organization, and you really have to have that in place today. Sometimes people say, well, I got an IT provider so if I have a problem I call them.
OK. Thatâs part of it. But do they have a plan to help you get that done? What are we doing on a day-to-day basis to protect our systems? What are we going to do when we realize we have an issue? How are we going to respond? What are our steps going to be? Whatâs the plan to get it ïŹxed? And there would be more requirements depending on the type of organization you are. Because if you have regulatory requirements, you have to do additional things to determine whatâs the effect of things.
And you have to have a communication plan. And that communication plan can be as simple as who are we going to contact and when? Many companies have cyber insurance. So you may need to call them to let them know you had an issue. You may need to call your internal teams; you may need to call some external folks. You also need to start crafting a message to your staff. What are you going to say? The last thing you want is one of your customer service people saying, oh, Iâm sorry, I canât help you today because we had a ransomware attack and our systems arenât working.
Skoog: Iâve been to banks that have a breach notiïŹcation policy, but they donât have an incident response plan. Weâve been infected with ransomware, weâve had a breach and weâve lost data, somebody lost a laptop. Whatâs our response plan to that?
And these plans really should consist of kind of four macro-level stages. IdentiïŹcation: Identify what happened, identify who you need to talk to and who you need to communicate with. Containment: How do we make sure that this breach hasnât gone any further than it has to this point? Eradication: How do we get rid of it? Recovery: How do we get back up and running and sort of something that resembles normalcy?
Mike mentioned one of those communications probably is immediately going to be to your cybersecurity carrier. Those cyber carriers are going to tell you the next two phone calls youâre going to make are to this law ïŹrm, because everything that youâre going to do is going to be under attorney-client privilege. And secondly, itâs going to be to this forensic ïŹrm to ïŹgure out what happened, ïŹgure out what the extent of the damages have been or the consequences have been, and then how to move forward.
And at a minimum, annually you should come up with some scenarios of, OK, letâs talk through what we would do if we had a laptop stolen. IT person, whatâs your responsibility? CEO, whatâs your responsibility? Whoâs making the ïŹrst call? Whoâs making the second call? Because without doing that, the chances that youâre going to actually execute the plan accordingly are going to drop pretty precipitously.
Moran: One of the things that we went ahead and did is we put together, for what itâs worth, a little white paper that you can get on our website thatâs kind of a framework for developing your incident response plan, and thatâs been pretty well received.
Skoog: I think one other thing that companies ought to be doing is really keeping an eye on regulatory changes inside of their industry.
Theyâre happening consistently, and the industry thatâs struggling with it right now is the construction industry, particularly if theyâre doing work with the Department of Defense. Because the DOD has come out with some extremely demanding security protections that are in place if youâre part of the DOD supply chain, and they are going to be having third parties come in and assess, eventually, your compliance with these requirements. And if youâre not compliant, youâre not able to bid on new contracts.
CEO: Whatâs coming next?
Skoog: For the last few years the type of attacks that companies had to worry about havenât changed that much. Itâs getting phishing emails and having those phishing emails deliver malware or ransomware. And now, the sophistication of those emails maybe has changed, and the sophistication of the ransomware and the malware has changed, but at the end of the day those are still the top risks that organizations need to worry about.
But I think just as they start getting to a point where they ïŹgured out how to manage those risks to an acceptable level, the new risks theyâre going to need to start thinking about is how artiïŹcial intelligence is going to be used to continue to do these phishing expeditions or those social engineering exercises.
Iâve heard of where through AI the bad guys are taking video or voice of somebody inside your company. For example, if somebody in XYZ company gets a video of what appears to be me or a voicemail of what appears to be me saying we need you to do the following, and theyâre going to think, well, jeez, itâs Tom, it must be legitimate. So how AI is going to be used by these bad guys is going to be the next technical issue that companies need to deal with.
Moran: I mean, if you think about all of the robo calls that you receive on your cell phone, in many cases those robo calls are trying to get you to say yes or something else so that they can use the automated attendant at organizations to validate things.
So, for example, if theyâre going to commit fraud using your American Express card, in many cases American Express expects you, if youâre going to go in and change account information, you have to state information, and you have to state the word, yes, weâre acknowledging you can do this. So those are things that are there.
I also think at a next level thereâs data stealing. Yes, they want ransom.
But I think the bigger value in that data is looking to understand trends and things that are going on to make further connections so that they can build a package and gain a competitive advantageâwhether itâs in ïŹnancial services, in your consumer goods scenario, whether itâs whoâs buying information or whoâs buying things from you. All of that information, it gives them a competitive advantage if they have your customer list and they have all of your invoice recognition.
The more data folks can steal, the more things that they could do with that data and start building up their own competitive advantage, and you donât even know that theyâre doing it.
So that idea of protecting your systems and protecting your dataâcompanies that just think, hey, weâre just a simple manufacturer, we manufacture business-to-business sales, we donât have anything we need to protect.
In reality, there are other companies that are your competitors. They may want to know that information. And if somebody steals that data and they have a smarter way to compile it and use technology to get it done, they might have a better way to go after your customers or position themselves to be a better price perspective in terms of that, or better delivery means.
So, again, people have to really be cognizant of what they used to think really didnât matter is more important today because of advanced technologies like AI and the analytics activity thatâs going on. Because everything is being studied today down to the most minute transaction. And the more information people can get, the more factors they can add into the systems and start to see more and more opportunities or more and more risks in terms of ways to create a competitive advantage.
CEO: Well, a fascinating thought to end on, and a little scary also. Thank you.
About the Cybersecurity and Data Management Service Line
At Blue and Co., LLC, our professionals, through their diversity of experience, can assess the likelihood and impacts of a cyber breach, a prolonged processing interruption, the operational and cost effectiveness of your IT environment, and the impact of certain federal regulations on your business, such as HIPAA, PCI, FISMA, etc.
We also help you improve your business performance through strategic deployment of your limited IT resources by assisting with strategic planning, development of operating models, sourcing decisions, and other technology advisory services.
For more information on this service line, visit the Cybersecurity and Data Management page.
About Tom Skoog
Thomas (Tom) Skoog has more than 29 years of experience providing information technology services to a variety of industries including healthcare. He previously served as a partner at an accounting firm where he was responsible for the IT risk and audit practice for the offices in the Michigan, Ohio, Indiana and Kentucky business unit.
Tom was responsible for delivering both external and internal audit services along with other advisory offerings including cybersecurity and data management, system controls integration, strategy development, project management, and helping clients comply with a variety of regulatory requirements including Sarbanes-Oxley, PCI, and HIPAA. He was a member of the national HIPAA services team, which was responsible for working with HHS/CMS on the development of audit protocols to be used by CMS in assessing HIPAA compliance. The team also conducted the initial 100+ audits and used the results to adjust the audit protocols with CMS officials.
Tom received his Bachelor of Science Degree from Northern Michigan University in 1987. He serves on the Board of Directors for LifeCare Alliance, which is the parent organization of the Meals-on- Wheels program in central Ohio, one of the largest in the country. He serves on the Finance and Technology committees and chairs their Risk Committee.