Cybersecurity Forum: Discussion recap – The Business Journals

With cyberattacks on the rise, and more and more businesses facing the potential costs of ransomware threats, the Business Courier held a forum on cybersecurity featuring three local experts in the field.
The forum was held Oct. 13 at the offices of the Cincinnati USA Regional Chamber and featured three industry panelists: Doug Davidson, director of information technology services at GBQ Partners LLC; Ashley Earle, an attorney with Calfee, Halter and Griswold; and Robert Short, vice president of strategic services at Liquid Networx. The forum was moderated by Business Courier Managing Editor Tom Demeropolis.
Demeropolis began by asking the panel about the top trends they’re seeing in cybersecurity today. Earle said from a legal perspective she sees two driving forces in the field now. One is states passing legislation to regulate business when it comes to cyber protection and privacy, some following the lead of California. “We’re starting to see a lot of other states fall in line — Colorado, Virginia, Connecticut,” she said. Ohio’s legislature has had a bill under discussion, but it failed. There’s more regulation to come, she said, and it’s unclear what shape that will take. “People recognize that data privacy is an issue and that some companies are not doing what’s best for consumers,” she said. “There’s a push to regulate and we don’t know what that looks like, because there’s really no federal blanket coverage. There’s no one size fits all answer, and that can be very difficult.”
Short said the pandemic caused business enterprise data to be scattered to wherever employees are working from. “People just weren’t ready to protect that,” he said. “We’re trying to help people discover what is right for their business. What is the most effective thing they can do to enhance their security posture without costing an arm and a leg?” Many businesses don’t have the people or the budget for it, so his firm can create a plan that they can execute. “We subscribe to the KISS principle,” he said. “Keep Infrastructure Security Simple.”
Davidson said his business advisory firm works with its clients to determine risks and then create organized frameworks to mitigate those risks. Because of the large payouts for ransomware, more companies want to work with their business partners to manage their cyber risks, he said. “We’re working with firms to really organize a playbook around, not just the technology, but the operating processes that they need to follow,” he said.
Demeropolis then asked about how they advise clients in the event of a breach. Earle advised calling the business’s attorney first. “Let’s talk through it because a lot of times people panic and panicking is the worst thing to do.” She said an attorney can help think about options and scenarios that the business management may not see.
Davidson said the time to act is before an attack, to create and test a plan for what to do when an attack occurs. “What needs to be followed if something bad happens and needs to be practiced?” he said. “Before the breach is when you need to talk and worry about the breach.”
Short agreed and said the plan should be regularly practiced, and in different situations. “We work with partners that actually will simulate those attacks and bring in teams that simulate that for you to help you document that,” he said. Davidson said businesses should run “tabletop” exercises to test the plans and then make adjustments as needed. Those exercises should involve everyone who might need to be involved in a breach, including attorneys, he said. “It’s better to have them understand how you operate as a business and what you’ve implemented to protect yourself in the process, as opposed to being brought in after the fact,” he said. “Because otherwise, you’ll have to bring them up to speed at the very same time that you’re trying to recover and protect your information.” He said such plans and tabletop exercises can save money on insurance premiums and sometimes insurance companies will help fund the exercises. “Being prepared is a big deal,” he said.
Demeropolis asked about the level of activity the panelists are seeing in cyber attacks these days. Davidson said the average ransomware event costs $4 million now and has doubled in the last few years. “That could be a life-ending event for some small businesses,” he said. Because more people are accessing company data from their homes, “the attack surface is bigger,” he said. This is causing the cost of cyber insurance to increase too, he said. “Insurance companies paid out a tremendous amount of money over the last couple of years and they’re adjusting their policies because of that,” he said.
An audience member asked if tabletop exercises should include vendors and other business partners? “Are you advising your clients to go through these tabletops all the way down the supply chain?” he said. Short said yes, and recommended reviewing vendor contracts to see if they provide adequate protection. “You need to go back and look at all of your vendor relationships and what the agreements are that you have in place today,” he said. “Get your legal team involved in that and make sure that you’re protected.”
Earle said all agreements should be put in writing, “So that everybody’s obligations upstream and downstream from you are clear and memorialized so that as people change and things happen, you know what to do and who to call and who not to call,” she said. She also recommended reviewing the insurance policies of vendors to see if they are covered. “Don’t presume the vendor’s insurance would cover a breach upstream or down, and ask whether they are liquid enough to handle a situation, such as a ransomware attack, without going out of business. Do they have the financial means to be covered in the event of an incident, and if not, how would that impact your business – would you still be able to operate without that vendor?” she said.
Davidson recommended going over contracts with managed service providers and with managed security service providers to make sure businesses understand everything they will be doing under their contracts. “We do a lot of marriage counseling with MSPs and MSSPs,” he said. “Their clients have fired a bunch of them because they failed to perform, and it’s a problem in the industry right now,” he said.
An audience member asked about possible regulations, legislation, and the difficulty of prosecuting hackers. Earle said there was some thought that big businesses were not being held accountable for security breaches and that private individuals should have the right to sue. That could lead to class-action lawsuits, which can be very costly, she said. In Ohio, the issue became partisan, she said, but data privacy should not be a partisan issue. “I think it’s something that we should all agree on and kind of have a middle-of-the-road approach,” she said. Some state legislation, such as in California, follows the right of privacy embedded in their state constitutions, she said.
Prosecution against data breaches can be difficult, she said. “A lot of times we know there’s a breach, but we don’t know what was taken, or who the data belongs to,” she said. “A lot of times the companies will take the approach that because they don’t know what data was taken or who that data was taken from they will just ignore it. They’ll just say we’re going to patch it, we’re going to fix it – and that can’t be the answer.”
Demeropolis asked the panel about cyber insurance. David said cyber insurance can help restore IT infrastructure to where it was before. Insurance companies will improve security by demanding certain requirements, such as two-factor authentication, he said. They may also require a written business continuity plan and a better risk management plan, he said. “It’s going to shift the market,” he said. “I think it’s going to be bumpy.” He has seen some businesses lose their coverage and others see their premiums triple, while others have had their benefits reduced. “I think it’s going to motivate people,” he said. “It’s going to motivate people more than the regulators.”
Earle said, “We walk a lot of clients through the insurance issues because they are very nuanced.” Businesses should be careful about how they describe an event, she said. “Don’t use the word ‘breach’ unless you know there’s been a breach,” she said. “Have your attorney look at that communication.”
Davidson said businesses should extend the “kill chain” as far out from their operations as possible. “The kill chain is a series of things like outside door locks or a fence so they can’t get to the front door,” he said. “You want to try to push that kill chain, that point of attack, as far away from your business as you can.”
Earle said it’s often the everyday hacker that invades. “It’s not the mastermind hacker that you might think,” she said. “It’s usually very low-hanging fruit where any series of ten things could have stopped it. It’s not somebody who’s spending months trying to hack your company,” she said. “It’s a series of constant errors.”
Demeropolis followed up by asking where these attacks typically come from. Earle responded that anytime a company is going through a merger or acquisition, the amount of attempted hacks goes up because so many people are sharing documents, compiling financial information, and transferring that to different people. , Many attackers are in North Korea and Russia, and many come from countries on OFAC’s list (the Office of Foreign Assets Control), which may prevent businesses from being able to pay them in a ransomware event, including North Korea, as well as some countries in Africa, such as Zimbabwe and the Republic of Congo, she said.
Short said if people search manufacturer websites for computer security products, those searches can be monitored by hackers. “So while you think you’re out doing your research, gathering your information to protect yourself, they look at you as a target, because you’re looking for solutions to protect yourself, which implies that maybe you don’t have a solution,” he said. “Therefore you are vulnerable to an attack.” Executives taking a corporate laptop home and using their home wi-fi network can also be vulnerable, he said. The same holds true of hotel wireless networks, he said. “You’re connecting all the time, anywhere, which is great, it’s convenient, it’s awesome. But you’re also connecting all of your enterprises to that same environment,” he said.
He also urged companies to turn on the security features they already have. “We go into environments and a lot of times it’s not even about money, it’s about they already have this deployed, but they didn’t deploy properly. They didn’t turn it on,” he said. An example is allowing people to connect without a VPN (virtual private network), he said.
He said smaller businesses are more vulnerable to attack than bigger businesses because hackers know who’s got the budgets and resources to protect themselves. Some small businesses fail within six months to a year after they’ve been breached, he said. “It’s the small to medium folks that are getting crushed by this and are getting put out of business and getting their reputation and their brand destroyed,” he said.
Davidson said a ransomware attack can take five to seven weeks to get data restored. He knew of a construction firm that was breached and lost all the change orders for its projects. “They ended up with every single client going back to the table and renegotiating,” he said. Hacking is a business, Davidson said. Hackers can buy information and credentials, as well as targets, he said. “There’s such a thing as ransomware as a service,” he said. If hackers are inside an organization’s system, they know how much money an organization has. “They know your sore spot,” he said. “They may have been in every month, once a month.”
Even after a ransom has been paid and everything is encrypted again, it takes a long time to return to normal, and information will be lost, he said. “It’s not like a light switch where it’s on and then off,” he said. “It’s a very long, drawn-out process.”
An audience member asked when it’s advisable to reach out to the FBI and report something. Davidson recommended not notifying the FBI merely for attempts, “because you can spend all your day doing nothing but notifying,” he said. He suggested notifying law enforcement when an attack interrupts operations or if everyone, including your attorney, agrees there’s been a breach. He also said the FBI may investigate an event, but not prosecute it, and file the information.
Short said if the breach is bad enough, the FBI will contact the business. Then the business faces questions of what kind of information it can share, especially if not all the information is theirs but belongs to a vendor or a customer. Earle said that becomes a big question when law enforcement is involved – what information can be shared with them? She said she’s also been involved in a case where the Secret Service was the investigating organization.
Earle also suggested using the phone to communicate in the event of a bad event. “Don’t do it in writing, especially because you do not know if the hacker is in your system,” she said. “Don’t do it on the server. It’s shocking to me how many people will put really bad facts in writing that end up not being true or are a mischaracterization.”
Earle and Davidson recommended getting plugged into the cybersecurity community, including universities and other professional groups. Earle said she considers it a patriotic duty to get involved and share information with other cyber professionals. She also said there are many free resources, including many from the National Institute of Standards and Technology (NIST). “It’s such a changing environment. You really have to keep up on it,” she said. “You really have to know what’s going on in the world.”
Davidson recommended tapping into the Center for Internet Security, which can provide resources for operating during an attack. He also recommended the website of the Cybersecurity and Infrastructure Security Agency (CISA), which often will put alerts out about what’s going on in the world. He also said Verizon offers a free report that highlights what the most common attacks by industry are. Short said internet security company Fortinet is offering free training to be certified in network security engineering.
Demeropolis asked Short about something called the “zero trust security model.” Short summed it up: “It’s trust no one; verify everything,” he said. It’s a framework for security that includes protections such as two-factor authentication, and an email solution to help detect and eliminate scam emails. It also involves protecting the servers, not just desktops and laptops. It also involves network segmentation and network access control, he said, which means “If I’m in sales, I shouldn’t necessarily have access to the same resources that my CFO has access to,” he said.
Demeropolis then asked the panel to wrap up with one or two recommendations. Davidson said IT security begins with the leadership of the firm getting IT security and the business management communicating with each other. He also recommended a regular set of tests, and a routine risk assessment, which should include penetration testing and tabletop exercises to prepare for a breach.
Short recommended starting security “on the outside and working your way in. That’s your largest attack surface,” he said. “They’re coming in from a single device on your network and they’re just spreading all over your network,” he said. He also recommended simplifying the security strategy. “Developing something that’s a lot more simple to manage is going to increase your overall security posture,” he said. And he recommended making sure the technology you have is operating. “You’ve already made the investment. You already have the technology. Turn it on and enforce that,” he said.
Earle recommended learning about and following the Ohio Data Protection Act, which she said is a safe harbor and an affirmative defense in the event of a breach. She also recommended that if companies do experience a breach to provide new cards for free, monitor customer accounts, provide credit monitoring, and similar efforts. “That’s mitigating the harm and hopefully preventing damage to consumers, which is one of the elements required to sue.,” she said.
Policies that follow the Ohio Data Protection Act must be in writing. “You have to have a written policy. You cannot just say, ‘Oh we did those things,’ to be compliant” she said. She also emphasized the need to draft a true and accurate privacy policy rather than copying and pasting one from another company, which may entail committing fraud. “They are fraudulently misrepresenting their practices,” she said. “It’s so much better if you just say in layman’s terms, here’s what we do. Don’t copy and paste a policy that doesn’t fit what you’re doing.”
Demeropolis closed the forum by thanking the panelists, the sponsors and the audience.
Doug Davidson, Director of Information Technology Services, GBQ Partners LLC
Doug joined GBQ in 2016, bringing over 30 years of experience advising business leaders managing digital, cyber, and compliance risks as a foundation of their business. An accomplished entrepreneur and leader, Doug leads GBQ’s Information Technology Services team of IT strategists, cyber analysts, and auditors, working with clients to reduce operational, compliance and cyber risks.
Doug began his career managing market information for a local economic development entity. Fortuitously, his graduate school concentration intersecting with the possibilities of the Internet, led to his developing websites for early adopters. As hackers targeted websites protecting the sites led Doug to a cybersecurity career.
Doug’s passion remains in aligning clients’ risk management strategies with their business mission and vision, helping them build innovation supporting platforms. Leading security, risk, and compliance assessments for clients ranging from startup and emerging businesses to family-owned, middle-market companies and large public organizations, Doug remains committed to empowering growth by building, assuring, and protecting value.
Ashley Earle, Attorney, Calfee, Halter & Griswold LLP
With a broad range of experience in intellectual property law – including trademark, copyright, trade secret, design patent, utility patent, privacy, and licensing matters – Ashley works to help clients protect their innovations and creations by securing and enforcing trademarks, copyrights, and patents, both domestically and abroad. She counsels clients from the fruition of an idea through to execution, implementation, protection, monetization, and enforcement. Ashley’s practice focuses on branding protection to create and enforce brands and their related intellectual property on a global scale. She manages large, international portfolios and provides strategic client counseling to determine the best path forward for each client based on their needs and goals in the relevant market.
Robert Short, Vice President of Strategic Services, Liquid Networx
With more than 20 years in the IT and telecom fields, Robert has expertise in security, ITO & BPO solutions. Prior to joining Liquid Networx, he spent seven years with a major U.S. carrier where he designed special financial programs to meet the requirements of the global system integrator community. Robert has a curious technical aptitude and brings a wealth of experience in leveraging partnerships to help clients identify and execute transactions that produce sizable financial results for their organization, business unit or department.

© 2022 American City Business Journals. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated January 1, 2021) and Privacy Policy and Cookie Statement (updated July 1, 2022). The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of American City Business Journals.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top