TechRepublic’s Karen Roby spoke about cybersecurity with Robert Braun, partner and co-chair of the cybersecurity and privacy group Jeffer, Mangels, Butler and Mitchell. The following is an edited transcript of their conversation.
Karen Roby: What concerns you the most with companies nowadays and those that you’re working with and in general?
SEE: Security incident response policy (TechRepublic Premium)
Robert Braun: I think that the thing that I’m concerned about, the things that my clients are most concerned about or should be, is the increasing sophistication of the bad actors in the field. For a long time, we had people who were relatively noisy, we’d call it, easier to spot. So, the defensive characteristics, the defensive techniques that a company would implement would be designed for that. But we’re now seeing very, very sophisticated hackers, very, very sophisticated bad actors. I mean, for example, what we’re seeing is that these bad actors are using what amount to nation-state tools to engage in what used to be espionage and now are straight criminal affairs. Nation-state actors have a variety of extremely sophisticated means of getting into a system, of staying in a system, and when I say being quiet, being very hard to find, and then erasing their tracks.
Now when that happens, it means that even a company that has taken good steps to prepare for a potential breach may not find it. They may have lost much more valuable information. And then they may not be able to recover from it nearly as effectively. I mean, the really popular example is the SolarWinds breach, which was probably one of the most sophisticated, showed a lot of great techniques and a lot of things that we really associate with straight espionage, and now that’s gone into the wild, and it’s available to just about anyone who wants to engage in hacking techniques. We consider that a tremendous threat and something that’s very, very hard to prepare for.
Karen Roby: And that’s the scary thing, Bob. Companies and company leaders can no longer put their heads in the sand and say they didn’t know that this could happen or to the extent that it could have happened, because everybody is vulnerable. We know that and we’ve seen it on so many different levels, but companies are having to deal with so much, obviously as you know, with how to have a system that’s set up, what happens if you get hacked? I mean, whether it’s money at stake or the customer’s data. I mean, there’s so many things. They’re systems, they’re holding them ransom. It’s just such a scary thought as to what all can happen.
Robert Braun: I think that the issue about personal information, and I don’t want to sound glib about this, but having your credit card information stolen is just not that big a deal anymore because you’re not going to be held liable for the costs. And the worst that can happen is you’re going to wait for a couple of days to get a new credit card. It’s not a big deal. The bigger issue, and we’ve seen that on a large scale, but it happens in places you’ve never seen it, are when companies are actually shut down. We saw that with potentially the Colonial Pipeline. We’ve seen that with other infrastructure grids and we see that with other companies. Law firms have been subject to this. There are law firms which take months to recover from a hack. And one of the real challenges, and one of the reasons ransomware is so ubiquitous, is that it’s a tremendous business model.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
It actually is a three-strike approach, because a hacker, once they get into the system, will close up your data, will close up your system or threaten to do so, and will demand a payment in order to open it up. Now that may or may not get you back, but typically the reason people pay it is that hopefully they’ll be able to get back in line. But the next step is that same hacker will say, “Well, now I’ve got your data. And if you don’t give me more money, I’m going to sell that data. I’m going to make it public.” That’s extortion, so you pay that. And then the hacker, since hackers are not really in the business of following up on their promises, will go and sell that data anyway.
The only business model in hacking that I think is a little bit more effective in terms of as a business model, if I were to look at that, if a hacker were my client, I’d say, what’s your best business model? We’d be looking at business email compromise, because that just cuts out all the middlemen and allows you to get into a system, have money sent directly to your checking account and go home. Very simple. And for those, there’s very, very little that can be done afterwards. I mean, data isn’t lost, but millions of dollars are. I think that’s the real issue. It’s not just the fact that data goes into the wild, it’s the fact that your business could be shut down and it’s very, very difficult to overcome that.
Karen Roby: What about when we talk about privacy laws? And as you mentioned before, we were recording here that the internet is everywhere. It’s hard for businesses to even know how to comply. I mean, do you find that some of your clients just feel overwhelmed by this?
Robert Braun: Absolutely. I mean, one of the problems, one of the challenges, is that right now we have three competing, overlapping, there’s about an 85% overlap, but three competing laws, California [CCPA], Colorado and Virginia. Each of them have a data privacy law. Now they’re pretty similar in a lot of areas, but they’re not entirely the same. So,companies by 2023 are going to have to figure out how to comply with all three of those. And that’s not the end of it because we’re also talking about a number of other states, eight or 10 other states, that are actively considering their own models. And then there’s the federal government, which from time to time threatens to get one of those passed. But I mean, this is one area where we can get some comfort in the fact that there’s general gridlock in federal legislation.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
One of the other issues, though, that you should realize is that even if there is going to be federal legislation, it’s only going to make a difference if it overrides and preempts state laws, and the states do not want that to happen. The states want to protect their own people, and any law that would be adopted on the federal level would be unlikely to be as comprehensive as some of the state laws. But in any case, I’ll tell you that in order to comply with these laws, any one of them, California for example, requires a great deal of work. It requires an understanding of all the data you collect, who has access to that data, where it’s stored, who uses that data, who in your supply chain is involved in that project. And that is a very, very big endeavor.
Now, it’s a very valuable endeavor because a company that understands its collection and use of data is going to understand its business much, much better. I’ve actually seen companies that go through that process and realize that they can improve their businesses, but it’s like going on a diet and working out. It takes a long time for you to see the results and then you have to keep up with it. So, it doesn’t matter if you lose 10 pounds if you go and gain them back. It doesn’t matter if you workout and then you stop working out, it’s that muscle that has to be continually exercised. It’s the discipline that has to be continually exercised. So, it’s something that isn’t a one-time affair. And that’s one thing that I don’t think people recognize in privacy. It means that this is money and this is an investment you’re going to have to make for the rest of the existence of the company.
Karen Roby: Has there been any silver lining? Have there been any small changes made that make you think, “OK, this is good, we’re making progress?” I mean, is there anything positive in this realm?
Robert Braun: The most positive thing is the impact on people’s behavior, because when you get down to it, everything depends on the person. I have a joke. I stole a joke about privacy and security, that the greatest impediment to data security and data privacy is the object that is between the computer screen and the back of a chair. It’s the human being. It’s the human factor. It is still the case that the vast majority of data breaches are a result of human error, of someone clicking on the wrong thing, of someone going to the wrong website, someone engaging in bad or reckless behavior. We see less and less of that. People are aware of it. We see better and better training. And the more that we can do that, the problem becomes smaller and smaller.
SEE: Expert: Intel sharing is key to preventing more infrastructure cyberattacks (TechRepublic)
Even things like SolarWinds originated in someone’s behavior, in someone’s behavior on social media or someone’s behavior on clicking something they shouldn’t. And we do see less of that. And I think that is going to impact people. It’s not just on a business level, it’s going to impact people on a personal level. It’s going to frankly, make people’s lives better. I don’t like to talk about COVID, but one of the things people mentioned, a lot of people will tell you, is over the last 18 months, they didn’t get a cold because they changed their behavior. So, it’s the same kind of thing. If we can change our behavior online, that is going to be one way we can significantly reduce this problem.