Cybersecurity – Table of Experts – Birmingham Business Journal – The Business Journals

Q: How has the remote work environment affected the cybersecurity scene for employers?
Justin Headley (Manager in Warren Averett’s Security, Risk and Controls Group): It has changed the cybersecurity scene dramatically in the last two years. Prior to the pandemic, many organizations already struggled to balance time between IT operations and cybersecurity. Remote work has extended those responsibilities even further. Primarily, the attack surface available for hackers has exponentially increased as companies are now relying on employees to extend those security controls to their home in an unsupervised location. We continue to see that cyber habits at home versus the office are not as stringent, and bad actors are taking advantage of these lax protocols in a big way.
India Vincent (Chief Privacy Officer at Burr & Forman): The remote work environment significantly impacted the risk of cybersecurity vulnerabilities. More employees are working remotely, which carries the risk that employees may work from unapproved personal devices that do not employ the same level of security measures as company-approved devices. Another risk is that employees may connect to protected company data through unsecure Wi-Fi connections. And yet another complication is the impact remote work has on a company’s ability to know where its confidential information and personal data of employees and customers is located and stored. If this type of protected data is accessed, stored or otherwise available on employees’ personal devices – even if the devices are approved for use – then data maps should be updated to reflect all relevant information regarding the additional storage, location, access, etc. of such confidential information and personal data.
Q: What has the change meant for IT professionals?
Vincent: The increased prevalence of the remote work environment creates the need for IT professionals to be even more vigilant. IT professionals should ensure that all employer-approved devices – including those that may be approved through a bring-your-own-device policy – contain the same security features used and approved by the employer for devices located in the workplace. IT professionals always should be updated promptly on any changes in employment status, be it a change of position or responsibilities, or termination of employment. Remote work also means that IT professionals have to embrace providing support to the company’s personnel in their home environments as well as in the office. This can mean answering questions about home network setups, selection and set-up of appropriate peripheral devices, and methods of remote access. While assistance with at-home IT questions has not traditionally been the purview of the company’s IT professionals, many companies recognize the need to provide at least some level of support in these areas in order to protect company data.
Headley: When the pandemic began, nearly overnight many organizations went from managing only their offices to managing countless numbers of unsupervised remote locations. While some organizations made an easy shift, we saw that in many cases the infrastructure was simply not in place to support large numbers of remote workers. This resulted in many on-the-fly decisions to simply get employees working again, which often meant that security was an afterthought. Not surprisingly, cybersecurity is now front and center for many organizations, and IT departments are faced with more tasks, oftentimes with the same budget and number of IT support staff.
Q: How are criminals capitalizing on the work-from-home situation?
Headley: Remote work has become a hacker’s field day. With so many organizations forced to implement new technologies and extend their IT resources almost overnight, the risk of a potential breach or major cyber incident grew considerably. Phishing and vishing scams have been a primary attack target for hackers during this time. Well-meaning individuals are easy targets for these scams, and we’ve seen large increases in successful phishing and vishing attacks while employees are at home in an unsupervised location. Additionally, while IT professionals are now primarily focused on supporting remote workers, crucial monitoring of the company’s network and applications has decreased. Studies continue to tell us that once hackers compromise a system, they remain undetected for six months on average. Companies simply just aren’t prepared to detect and respond to incidents, and hackers are capitalizing on it.
Vincent: Criminals are exploiting the vulnerabilities that can be involved in working remotely, particularly from an employee’s personal device. Working remotely creates increased communications through electronic means, such as emails, texts and social media forums. Increased use of such electronic communications can lead to a greater chance of an employee falling victim to a phishing or other hacker scam, as well as more opportunities for hackers to penetrate any vulnerable connections. Combining these vulnerabilities with the divided attention of many remote workers who are multi-tasking to a greater degree than they would in the office, or are working in an environment that introduces more distractions, creates fertile ground for criminals to engage in social engineering to identify company and employee vulnerabilities.
Q: How can companies safeguard their IT infrastructure with a remote workforce?
Vincent: By updating their data maps. Tracking and documenting information such as what confidential company information and/or personal data is collected and stored, for what reasons, in what forms, where it is stored, who has access to it, etc. Companies also should conduct regularly scheduled security assessments and privacy assessments, which may be conducted internally or by an external third-party. Employers should ensure that their IT infrastructure complies with the security standards accepted in their industries and is commensurate with the confidentiality of company information stored electronically, as well as any stored or accessible personal data. Another important aspect of safeguarding companies’ IT infrastructures is training of employees on cybersecurity practices and data privacy. People remain the greatest security threat. Training employees on best practices in cybersecurity and data privacy – including how to identify phishing emails, what to do in the event of an attack, and how to recognize social engineering efforts in forums other than email – is well worth the investment to avoid potential data breaches and legal violations down the road.
Headley: This is the good news of this conversation. We continually see breaches where bad actors are taking advantage of the same vulnerabilities or low-hanging fruit in organizations. There is a myriad of IT controls that can help prevent and detect cyber-attacks, but there are a few key foundational ones to consider. First, hackers are taking advantage of the human element in attacking organizations, therefore regular security-awareness training for all employees is imperative. It takes everyone to ensure an organization stays cyber safe, and educating users with the latest attack methods and phishing scams is vital. Additionally, ensuring infrastructure is protected with a layered security approach is crucial to protect assets. This includes implementing controls around multi-factor authentication, endpoint protection and a secure VPN connection, along with effective monitoring of the network for threats and attacks.
Q: What types of companies or firms can assist employers with their remote work data security needs?
Headley: Identifying a firm that helps assess an organization from a holistic security approach and against IT best practices is important. Work with an IT security-related firm to identify the framework that best aligns with the needs of your organization, and review your controls periodically to understand gaps, controls weaknesses and vulnerabilities. Additionally, for help with the implementation and monitoring pieces, partner with a managed service provider that can recommend suggested tools and infrastructure to achieve your goals. It’s also important to note that whenever you decide to partner with a third party, vendor management due diligence is crucial, especially for those you are sharing data with or providing access to your network. Remember that while you can outsource the service, you can’t outsource the responsibility.
Vincent: Businesses can find a wide variety of assistance for data security needs. The first step is a vendor that provides secure methods of remote access, such as a virtual private network, or VPN. With that connectivity in place, businesses need to give some thought to the devices that are allowed to connect to the system remotely. For example, a business must determine whether only company-owned devices be granted remote access to the system, or whether employees be allowed to use their own devices. These decisions will rely somewhat on company culture, but IT security consultants can help provide guidance on how to balance the need for security against the need for easy access to allow remote work to be effective. Training for remote workers on how to set up their home networks or computer devices is important, as well as training on best practices in cybersecurity and data privacy.
Q: What does the process look like when there is a security breach?
Vincent: It varies depending on the type of incident. However, it is important that a business know the requirements of its cyber-insurance coverage to be sure that the initial steps it takes will not compromise its ability to recover under those policies. Regardless of the type of incident, there are usually several steps that should occur in parallel. The incident must be contained, whether that means containing any encryption activity for a ransomware attack or changing passwords to cut-off a business email compromise, or some other containment effort. In addition, legal counsel should be contacted as soon as possible so that they can engage other service providers, such as forensic assistance, on behalf of the business. Legal counsel will also help ensure that the company’s response is sufficiently comprehensive to address all the legal obligations that can arise from such an incident. For a business email compromise that results in loss of funds through misdirected wire transfers or other payments, promptly reporting the incident to the payor and payee banks, as well as the FBI, can significantly improve the chances of recovering funds. In the event of a ransomware attack, the first several hours are going to be an iterative process focused on containing the attack, ensuring the threat actor’s access to the system has been removed, assessing the extent of the damage, identifying insurance coverage and requirements if necessary, and making determinations about which stakeholders need to receive information at which stages of the process. While it is easy to delay assessment of reporting requirements during the early stages of the incident, it is important to remember that many reporting requirements impose relatively short deadlines to get notice to individuals whose personal information may have been accessed or compromised. Legal counsel can assist with that effort in parallel with forensic review and restoration of the systems. A final step of any incident should be a thorough review of the incident and development of a continuous improvement plan to continue to strengthen the IT systems against future attacks.
Headley: Breach headlines continue to validate that organizations are not prepared to detect and respond to incidents. A majority of IT resources are dedicated to prevention, so when an incident occurs, organizations as a whole are scrambling to appropriately react and respond. If you fail to plan, you should plan to fail. An incident-response plan with key internal and third-party contacts, escalation plans and detailed recovery steps for various incident scenarios is critical in the response process. Additionally, testing this plan periodically with various incident scenarios is important in understanding your controls and potential weaknesses. Establishing relationships with law enforcement and the FBI beforehand is also another key layer in your response plan. Many of these individuals deal with incidents and breach response almost daily, and can offer invaluable insight in the way you respond to an incident and deal with hackers.
Q: What are the consequences for companies that have a security breach?
Headley: Breach statistics show that the average cost of a data breach continues to rise annually, and on average is costing organizations millions of dollars in response and remediation efforts. While news headlines typically focus only on the short-term monetary impact, we often see a tremendous amount of other direct and indirect costs encountered long-term after a breach. Things such as fines, investigations, customer attrition, reputational damage and investment / donor funding losses should also be heavily considered. Cyber insurance has become a popular option for some companies to help bridge the gap for some of these response costs, though it can provide a false sense of security. It’s important to be on the same page with your insurance carrier to fully understand what the policy may pay for and what due diligence requirements must be met before assistance is provided.
Vincent: The immediate consequence is usually downtime for the business. When email systems and file systems are not accessible, it is often difficult if not impossible to continue operations in the wake of an attack. For a business email compromise, if the result of an attack was a fraudulent wire transfer, the immediate consequence is the loss of funds and the time required to try to recover those funds. In addition, the requirement to provide notice to all individuals whose personally identifiable information or protected health information was accessed and/or acquired results in a lot of time and effort for the review and notice process, followed by the cost of sending the notices and potentially offering credit-monitoring protection. Often one of the most significant consequences is reputational damage. When a security breach is reported in the news or announced to customers as a result of the legal notice requirements, customers may have concerns about continuing their relationship with the business. Even though the monetary damages involved in responding to a security breach can be significant, mitigating the reputational damage can be the most difficult. While it is natural to want to explain the incident away or rationalize about the minimal impact of the attack, if personal information was compromised, it is best to be as transparent as possible. As cyberattacks have become more prevalent, customers may be more forgiving, but that understanding wanes quickly when the company conceals information.
Q: What is the most ethical way to handle a breach if one happens?
Vincent: In the event of a breach, the most important thing is to be truthful and forthcoming about the incident when talking with all stake holders. Hiding the incident and/or reporting that the impact was more limited than it was can only result in further problems when the true breadth of the incident is discovered. When considering what assistance to provide to individuals whose personal information was compromised (including call centers, credit monitoring, identity theft protection, etc.), doing something above and beyond what is required by law can go a long way toward maintaining the goodwill of a company’s customers and/or employees.
Headley: While I don’t think there is a one-size-fits-all approach to breach response, there are a few items to consider. Initially, understanding that breaches often still take place regardless of the effectiveness of your security controls is key. Your goal as an organization is ensuring that you have an effective cyber-risk program in place that can effectively detect and respond to cyber incidents in a way that causes minimal disruption and downtime. It’s important to conduct risk assessments often to understand where your risks and vulnerabilities are, and develop controls to mitigate that risk. No two days are alike in cybersecurity, so you must continually educate yourself and others, and understand how that risk affects your organization.
Q: Outside of the increase in remote work, are there other ways Covid-19 has affected cybersecurity for businesses?
Headley: Outsourcing critical business functions was a popular business tactic prior to the pandemic but has grown even more since then, especially when it comes to Information Technology. The security controls that have been identified and applied internally must be extended to your critical third-party partners, especially those that have access to your systems or ones you share information with. Periodically reviewing due-diligence documentation such as vendor security questionnaires or SOC reports helps to ensure that good security controls are in place. It’s also important to remember that your relationships with third-parties change rapidly, as well as their internal controls. So you must continually assess the risk on a periodic basis.
Vincent: The high demand for talent in IT and information security is making it harder for companies to staff their security teams appropriately. Thus, at a time when companies are most in need of talented IT and information security teams due to the increase in the remote-work environment, they can find themselves in the position of being under-staffed in these areas.
Q: What are the trends in cybersecurity?
Vincent: There continues to be a lot of focus on improving security for the information technology infrastructure that businesses rely on for day-to-day operations. Those efforts take a variety of approaches, from implementing software and hardware tools, to safeguarding and monitoring IT systems, engaging service providers to assist with securing the system, hiring security personnel to advise on and implement best practices, and training employees to be on the look-out for signs of an attack. However, many businesses are also actively working to improve their ability to respond to the alerts they already receive. For example, having several different tools providing alerts about abnormalities in the system is useful only if the staff exists to review those alerts and act on the ones that are true indicators of a problem. Receiving alerts without the ability to act on legitimate threat indicators is not beneficial to the business. Since there is a myriad of reasons that bad actors engage in cyber-attacks, there will always be new methods of attacks and attacks on more and more businesses. Businesses must continue working to keep up with the threats posed by these bad actors, and undertake continuous improvement efforts to keep their security positions up-to-date at all times.
Headley: With the advancement of technology, we’ve seen artificial intelligence begin to play a role in cybersecurity. The number of real-time attack attempts on an organization any given day has continued to rise to a level in which human review and intervention almost becomes impossible. However, AI built into endpoint protection systems and firewalls can help to analyze the traffic or patterns in real-time and make a quick judgement call to block, alert or allow the attempt without human intervention. Additionally, AI within security and incident management systems can review logs from multiple sets of internal systems and correlate them to understand if suspicious activity may be detected and alert IT. As the number of duties continually mount for IT personnel, AI can play a crucial role in detecting attacks and responding in real-time.
Expert bios
Justin Headley, CISSP, CISA, CDPSE, CRISC, Manager, Security, Risk and Controls Group, Warren Averett
 Justin Headley joined Warren Averett in 2016 and is a Manager in the firm’s Security, Risk and Controls Group. He has more than ten years of combined public accounting and industry experience. Justin has extensive knowledge in assisting clients with technology control reviews, cybersecurity concerns, IT risk assessments, Business Process Reviews and SSAE 18, SOC 1 and SOC 2 Reports. Justin is a member of InfraGard Birmingham, serves as Treasurer for the ISACA Chapter of Birmingham and is a member of ISACA’s CISA Exam Development Working Group. In conjunction with the AICPA, he recently acquired the newly released SOC for Cybersecurity Certificate, which assists clients in an examination of the maturity of their Cybersecurity Risk Management Program. Justin is also a published author and speaker on a variety of technology and cybersecurity topics. Justin resides in Birmingham with his wife and three children.
India Vincent, Chief Privacy Officer, Burr & Forman
India leads the firm’s Cybersecurity and Data Privacy Team as well as the firm’s Intellectual Property practice group. She is CIPP/US certified. India’s areas of practice include cybersecurity, incident response, data privacy including GDPR, CCPA/CPRA, VCPA, and CDPA, software, and technology licensing, technology development and research, corporate transactions, trademarks, and other aspects of intellectual property. She assists clients with identifying their valuable data and other proprietary information and developing customized, situationally appropriate security and data protection policies and breach response plans. She provides guidance and serves as a counsel for clients responding to a cyber-incident, including, securing electronic and physical systems, assessing the impact of the incident, complying with all notice requirements, restoring operations, and developing remediation plans to thwart future attacks.
India earned her J.D. from the Cumberland School of Law at Samford University and her MIMSE from North Carolina State University. She is also a member of the patent bar and a Certified Information Privacy Professional in the United States.
– Elizabeth Shirley, Contributor
© 2022 American City Business Journals. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated January 1, 2021) and Privacy Policy and Cookie Statement (updated July 1, 2022). The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of American City Business Journals.