5/11/2017

Cybersecurity is the protection of information and systems from attack, damage, and unauthorized access. Cyber criminals aim their attacks at sensitive data of organizations stored on computers and in the cloud. When sensitive data is exposed, it puts the firm at risk of extortion, serious business disruption, data loss, and possible litigation. There is a clear need in the middle market for more enhanced cybersecurity. NCMM Executive Director Tom Stewart talks about this issue with Vishal Chawla, Principal in Grant Thornton’s Business Risk Services and Dmitry Kuchynski, Security Principal/Global Security Advisory Services at Cisco Systems.

Transcription

How much danger does your company face from cyber attacks? We'll help you learn and help you plan.

Welcome to The Market That Moves America, a podcast from the National Center for the Middle Market, which will educate you about the challenges facing mid-sized companies and help you take advantage of new opportunities.

Today's podcast in The Market That Moves America is about risk. In particular, it's about the threats middle market companies face from attacks on their computer systems, or the systems of companies that do business with. I'm Tom Stewart, the executive director of the National Center for the Middle Market at the Ohio State University Fisher College of Business. We're the nation's leading research outfit studying mid-sized companies which account for a third of private sector employment and GDP, and the lion's share of economic growth. It is the market that moves America.

The National Center for the Middle Market is a partnership between Ohio State and SunTrust Banks, Grant Thornton, LLP, and Cisco Systems. And with me today to talk about cybersecurity and its implications for mid-sized companies are two special guests. Dmitry Kuchynski is a Security Principal in Global Security Advisory Services at Cisco Systems. Welcome Dmitry.

Thank you for having me.

And also here is Vishal Chawla, Managing Principal in the Cyber Risk Advisory Services practice at Grant Thornton, the audit and advisory firm. Vishal, thank you also for being here.

Thank you for having me, I look forward to the discussion.

So let me begin with just a couple of points and maybe a little data to set the stage. The first point is that just about everybody agrees that cybersecurity is important. We asked middle market executives about that, and just 14% shrugged their shoulders and said, cybersecurity is no big deal. The others all said it was a big deal and more than a quarter said that it was an extremely important issue for them. So it's a concern for more than seven out of eight.

But when we then asked the same executives what they were doing about this concern and what they were doing about protecting their information assets and their networks, fewer than half-- just 45%-- told us that they have a cybersecurity strategy that is in place, and has been reviewed and updated within the last year. So there is a disconnection between what companies say is important and what they're actually doing about it. I'm going to guess that gap exists for a couple of reasons.

One, some people are really convinced about how important it is. They're not going to worry about it until they are actually hacked or actually know that they've been hacked. So they're not convinced about what their level of risk is, and they're giving lip service, figuring that can deal with it tomorrow.

The second possibility is that they don't know where to start, they're paralyzed into inaction. And maybe there's a third group that falls in between that underestimates the issue and figures that half-measures enough, or just doesn't have the resources to bring to bear. So I guess I want to start with that first topic-- how big is the risk? Dmitry, maybe we can start with you first. We read about attacks on Target and Chase or Sony or Yahoo. How much do middle market companies have to fear from cyberattacks?

It's a great question, Tom. So in our work with our customers from our commercial practice as well as the mid-market size-- in my view, the companies don't need to fear, but they need to be very highly concerned. When you have large companies from retail, financial, entertainment, as well as technology verticals getting compromised, there is definitely signs for concern for companies on a much smaller scale.

I'm also seeing a large progression. A few years ago, when I talked to several CFOs as well as the CIOs from several of the manufacturing and health care companies, there was very little concern about the breaches, basically. The notion was, well, I don't have something the bad guys have, or I have enough protection that the company around me would be further compromised than I will be.

Today, this notion is changing. So a lot of boards are actually asking this question-- how are we prepared and what is our level of exposure around whether it's medical devices or manufacturing side or basic level of protection around customer records. Boards are getting a lot more engaged into those type of discussions which actually scales to the financials and technology executives within the companies.

So Vishal, in your experience, are there industries that are particularly at risk? Or is the risk across all industries? I mean, Dmitry just mentioned that medical companies and manufacturers sort of thought they were a third or fourth in line. But in your experience now, are we seeing that basically everybody's on the frontline in cyber?

That's a great question, Tom. I would say the software experience and based on what you see in the market, I think everyone is [INAUDIBLE] need to step back and ask the question-- if you are a business and you have some kind of asset which can be turned into a financial asset, then somebody's going to come after it. We are not talking about [INAUDIBLE] or terrorists, we're talking about criminals looking for money. We have found that actually the mid-market companies that don't have so much investment into their cyber programs they are the easiest targets, based on most of the industry research.

You'll find any time the middle market company-- it will happen so many times. They will get access to their credit card machines, they will load malware, and the biggest threat they're drawn into is putting someone on a ransomware and asking them to either pay the bill or they're going to take over all their assets and steal the money.

So I remember ransomware from an episode of The Good Wife-- which some people might have seen-- where this little law firm gets it. They come to work in the morning and they get this notice, saying, "Ha ha, we have your computers, and unless you send us x $1,000"-- Your network is down. Is that what happens?

You're absolutely right, pretty much in the same fashion. I was working with a mid-sized company. They number one [INAUDIBLE] [INAUDIBLE] sum it up, I think the obvious answer they were in the hospital just yesterday, which got an obvious answer. But because it was something critical for [INAUDIBLE] asset understand your risk, understand your risk profile, and be aware of the [INAUDIBLE]

So Dmitry, what happens when you're attacked? I mean, in the case of ransomware, you know about it because your computers are blocked, and somebody's saying, "send us a lot of money." But there's an old proverb around cybersecurity-- I guess it can't be old, since it's not that old an issue-- but there's a proverb that says, "There are two kinds of companies-- companies that have been hacked, and companies that don't know it yet." So what am I looking for? How do I recognize that my network has been compromised?

It's a very challenging task. So our executive chairman, John Chambers, likes to say as you mentioned. There are two types of companies that have been hacked and know it, and have been hacked and they just don't know it. Because on average, it's somewhere between 200 and 250 days that the company realizes that they've been compromised. And it's usually--

More than a half a year I'm sitting there compromised, and don't know it on average.

Exactly. And they get a fax or the message or a call from a local FBI office, saying, hey, we found some sprinkles of your data on some server in a different foreign country. Because they seized control of the server and they found 10, 15 companies' data, so they contacted this company. When the company starts digging into their records, they discover what data left the company 200, 300 days ago. I mean, that's how wide the scale is from a compromise.

Companies don't usually realize that a lot of times, it starts with a very small, very conspicuous email phishing, targeting executives; if you're on the medical side, targeting chief nursing officers; if you're on the financial side, targeting tellers; people that have enough responsibility to get a hold of their accounts, of the credentials, and further start digging. In one of the cases, we discovered a hacker-- basically, when they compromise one of the accounts, they spend additional two to three months reading different emails and PDF documents within the company, trying to identify how the company segments it, where the most important data lives, and which particular service. And only then they started crafting different types of methods of attack. You have a full blown project management expertise on that side, and it's very, very commercialized.

Well, you mentioned ransomware. It's a very lucrative business. When you deploy 200, 300 malware pieces at multiple hospitals or manufacturing plants that cannot function without them, they will definitely pay their 10-15 bitcoins or 100 bitcoins, because companies don't usually realize that it's not just about their reputational damage. There are different productivity losses that you cannot function without on a regular basis.

At the same time, there's also response costs. And the response cost-- a lot of what we actually started when we started discovering, responding to all of the breaches and advising a lot of the executives around their response procedures-- what we determined-- they don't have enough connections with the law enforcement. Or when they signed an insurance provider, they have not signed an incident response provider that will work together with this insurance. And at the same time, their legal counsel is not prepared for a wide scale attack, as well as the communications. So they don't know how to handle a wide scale breach.

They will need to have a pretty strong relationship with external legal fund to start those long conversations. So there's a lot of preparation work goes in the front before you're able to successfully mitigate the breach response efforts.

I heard you say something very interesting-- and Vishal, I'd love you to add to it-- which is that an important part of cybersecurity is creating defense. We'll come back to that in a minute, because I'd like to talk about that. But a second important thing is-- so that's prevention, right? I do my best to prevent. The second thing is, I realize I'm going to get hacked. So I need to have a response plan in place-- no matter how good my prevention is, I need a response plan.

And you mentioned some elements-- number one, I need to know the people I should be in touch with at the FBI or local law enforcement, I need to know my law enforcement. Number two, I should have insurance and I should make sure that have insurance in place before I need it, just as you would have insurance in place before you take your car on the road, so I should have insurance.

Number three, I should have an internal response plan, a playbook, all lined up. I should have my legal defenses, my insurance defenses, my law enforcement defenses, and my processes, and my communication plan all lined up.

Vishal, is that a comprehensive checklist? What else do you need to think about so that you have it-- you want this thing written down before the panic strikes, so that you can turn to this playbook when you have it. What are the other elements of my response playbook?

I think that's a great point. I think what the mid-market [INAUDIBLE] saying I would say a couple things. One, you need to have what I call get [INAUDIBLE] You got to have policies, you got to do encrypt all the confidential records, you want them being backed up, and stuff like that. And then second is like you mentioned the plan.

The key part of the plan though-- I also see putting incident response plan-- is understanding how your business really runs, what are things which can break your business, [INAUDIBLE] turning those items into real use cases, and then testing them. So for example, if you are running a restaurant, or if you are up in the restaurant game, then you've got to get out what will shut you down. You can have all the clients in the restaurant, but if someone loads up the malware and all the point of sale systems stop working, you cannot cut the bills. Now someone can put you on ransom. So do you have an incident plan which handles that particular use case, and do you know how to deal with it?

So what we are recommending is exactly what we're taking something one step further is-- just to add to it-- come out with your use cases [INAUDIBLE] are, because Trimble exploit that. That's exactly what they going to exploit. They can put stuff, like the web site, they don't care about. [INAUDIBLE]

So I think that's a great point, that as everything has become information technology, and all information technology has become connected, you may have vulnerabilities that you're not even aware of. And you just sort of have to rethink, what are the locks, what are the systems that I'm dependent upon, or what are my assets? I mean, your restaurant, for example, has all kinds of credit card records that go through its point of sale system, and losing that credit card information could be a very expensive-- if that information or patient records or other things for a medical practice are lost, those are really serious liabilities for the company and also really serious damage to your customers, which you don't want to have.

You're right, Tom. And I would say also as you're thinking about it, I know sometimes it looks easy. Let me go pick up the phone and call the FBI. One of the things we are seeing with some of the clients that they're nervous about it-- remember, once you call one of these agencies like FBI, for them you're just a portion of the crime scene. You lose control of everything. They are investigation of the crime scene.

Some of the businesses, especially mid-sized companies think about if their business has to stop for weeks just for the process. So you got to be smart about what your real risks are, how to manage it, when you should call FBI, when you could [INAUDIBLE] yourselves involved.

Right, so you have to remember to put your business in a really important position. Dmitry, yes. Were you going to add?

Yes, I was going to add that a lot of companies fear the involvement of the law enforcement, fear getting engaged within outside companies, research firms, or anybody else who oversees different level intelligence around certain industries. And that's the connotation that historically during the breach, law enforcement comes in, takes all of your devices that have been compromised for that investigation, if you had a nationwide attack, and everything else. And that is an old way of thinking, an overprotective way of thinking. So the law enforcement went a long way.

With our work around our clients, as well as working with law enforcement, it's a lot more sharing that's going on within the industry. Financial services emphasize that. And law enforcement participates a lot with [INAUDIBLE] sharing a lot of the nations associated with threat actors, who the risks associated with the business applications. They provide a lot more educational aspects, versus purely investigative aspects around notions.

They really are your friend.

Right.

They really are your friend in your experience.

Yeah. Obviously before the breach, you want to make sure that you participate with law enforcement. You get to know the folks who are actually supporting localities around this, usually the local FBI office, state police are involved.

At the same time, there are pockets of different companies who are already sharing this data through the industry associations, as well as the approaches that they share common practices around protections. And they also share different indicators that they received through third party or commercial sources. They want to make sure that other companies are not compromised. Because, as an industry specifically, we are stronger together than individualized providers in this case. It's like an old way of saying if I'm spending a dollar more than a neighbor next to me, I'm in good hands. That's not the case today.

So I hear a couple of things here, and I think this is really useful. One is get to know the relevant law enforcement people early. And if you're a CEO, you should ask whoever's in charge of cybersecurity-- do you know who those people are? Do you know who you're going to call? And do you already have a relationship with them?

And second of all, be actively engaged with your peers, which I imagine could be peers in industry or your community peers, local CEO groups and companies of your size. What about cloud service? I'm a mid-sized company, I've got an IT department of six out of 12, I haven't got the deep expertise in this that I'm afraid that I need. Should I just work with a cloud services provider? And I know Dmitry you provide this, so I think your answer is going to be yes.

But I'd love to hear the do's and don'ts about that from both of you. Dmitry, why don't you start and say what's the case for and maybe the case against outsourcing your cybersecurity.

Well, when you look at it, it should be always looked at in connection to your business, whether you can outsource some functions or outsource functions of the cybersecurity or not. If you just take a step back and think about how Cisco's structured, we have four chief executives that are tasked with protecting the business. There is John Stewart, who is focusing on security and trust organization; Steve Martino, who is focusing on the information security function; Edna Conway on the supply chain; and we recently hired an individual to protect our privacy and reputational aspects.

So those are four executives for four aspects of information security, right? Wow.

Exactly. And that doesn't mean every company has to follow it. But what I'm trying to say, every company has to understand the business exposure around their supply chain, and how they interconnect with other businesses or their customers, which leads to the cloud question, specifically. Cloud is an extension of your business, and it should be treated as that.

That means there are a lot of third-party risks associated with data sharing depending where you conduct your business. Is it specifically in the United States and also includes companies around the world? That should be specifically considered.

And cloud providers are also different, because if as the CEO you started thinking today about using cloud, you're probably already too late to the game. There is a term called "shadow IT," where an employee can purchase cloud-level storage for less than $50, and fit the entire database in the cloud without IT department even knowing it, because that's how easy it is to acquire cloud-based storage. So that's all in here in the game.

So the private cloud could actually create a new vulnerability for you. Vishal, what's your advice for companies? How should they investigate or think about outsourcing some of their cybersecurity capabilities?

I think it's a great question. I'm going to take off my consulting [INAUDIBLE] compared to a medical practice if you're a small business there. See, the cloud is there to stay, and the only way it's going to go, as Dmitry said, it's going to keep going [INAUDIBLE] Some other risks are [INAUDIBLE] infrastructure [INAUDIBLE] your company, but again, on the other hand, you can also say you may have a server, pushing all the data sitting at someone's desktop which is probably more [INAUDIBLE]

--getting your cloud services up. That's what I did for my wife-- figure out what security if you what kind of backups you're going to keep, then you're actually in much better hands that way.

Also, you got to think about even if the data goes to the cloud, some of the issues are very similar [INAUDIBLE] big ones like Target were hijacked out of someone's account, which brought those companies to their knees. That's the most common phenomenon. It is not as easy to break in and get in there to hijack [INAUDIBLE] What I think is cloud is there to stay, you just need to do more due diligence. And also, you need to start thinking how much value cloud is providing you, so spending some extra into security is actually a good thing because that helps you grow faster in your business.

You don't have to take a [INAUDIBLE] infrastructure, you don't have to create a payment, you can make minimum payments [INAUDIBLE]

--mid-sized companies. But the way the world is growing more digital, you are actually better off spending-- spending on security is should be part of cost of doing business so you can grow faster and [INAUDIBLE]

We have a datum that I was quite happy to see, which is that companies that told us that they were growing more than 10% a year were also companies that were more likely to say that they had an up-to-date cybersecurity policy. In other words, a good defense was not contradictory to a good offense. It seemed to be enabling a good offense. And I think that's a point to make.

I know we don't have too much more time. One of the themes that has been running through this is that there's a whole opportunity to map your risks, or a requirement to map your risks. And I can almost imagine a big piece of paper or a white board that was literally a map of my cyber risks.

And you're probably not going to be capable of covering all of them. I mean, you can't ever be 100% safe. So you're going to have to manage how much risk you're willing to take and how much risk you're not willing to take, and how much defense you want to put up.

But I think another theme that runs through everything I've read and learned about cybersecurity is that technology can help you a lot, but your vulnerabilities are mostly human, and they're in having good processes and having aware people. And I'm wondering if each of you can talk for a minute about how you audit processes, and how you train people so that you don't make the careless mistakes that open your network. Vishal, let's start with you on that.

Sure, Tom. This is one of my favorite topics. I almost follow it as like good hygiene enhances the well-being. We do that in our personal lives. But if you don't have a good hygiene, we all end up at the dentist.

Well, so when I look at it from a cyber perspective, it's the sort of thing companies should be doing. It's like you mentioned-- having a security policy, encrypting all records which are confidential data, performing frequent backups. The big part is carefully screening your potential employees, because the insider threat is much higher than the threat we see from outsiders. Someone coming in, putting thumb drive on one of your computers, collecting all the data, and selling it on dark web is more common than you think. Training your employees is a big part in key areas like the acceptable use policy.

And finally, what we also recommend-- what I'm saying is, I would put a policy on your bring-your-own-device. And in terms of training, the best way to train is not necessity sitting in a room and blink through PowerPoint slides. The best way to train is really doing some real time [INAUDIBLE] Once your employees show up [INAUDIBLE]

I recently did with one company, where we actually had a couple of people trying to get that role stand outside the office. They just took [INAUDIBLE] so we were thinking if they just said, hey, you are entering in, we are just checking whether your badges are working. We are from the big company. 90% people handed us their badges, we just scanned the badge on our machine and handed it back to them, and they checked in at the company. By evening, we have badge access data for 90% of the people.

So it's so easy to do because as human beings we like to trust the system, we like to trust people. But we are forgetting there are cybercriminals-- and I stress the word "criminal"-- who are after this model, and you've got to be doing a lot of those case-based social engineering kind of models. And that starts changing behavior [INAUDIBLE] and that's the thing driving risk culture within your organization. The more you spend on it, the stronger your company's going to get, and be more able to defend itself.

Dmitry, let me give you a chance to add on to that, about the human and process side of cyberdefense, so that the technology can do its job.

Absolutely. Vishal said a lot of good points associated with that nature. There is actually a saying, "The best network to protect is the network that's down," meaning nobody has access to. And unfortunately, and obviously fortunately now, the reality that we're all interconnected.

When we actually communicate information to our partners, supply chain, cloud-level providers, employees or users, we always exchange different bits and pieces of information. And this information could contain private data, employee information, health care record, payment records. A lot of the users don't even realize this. So one of the steps that we see where companies started focusing on is just little steps-- how to recognize what a phishing email looks like, and how to create strong passwords, how to avoid using different dangerous applications that could be not just social media applications, but applications at work specifically. And avoid taking information out of the company on different types of devices.

So one of the companies that will work with us is a smaller health care company. When one of the executives received a phishing email and followed the link and became a victim of the phishing, that started a wide scale education around the entire company. And the company even started going deeper into how they operate security within their enterprise. The executive falls into that level of phishing job, then everybody else could. And then same thing goes for a foreign employee or a subcontractor that works for that company.

Another part is also outlining the clear use policies for new employees and vendors, because we bring other folks into our environments to use our devices or bring their own devices. So what can be done? What cannot be done? How do you escalate what you see within your environment, your IT and security staff, as well as maintain compliance?

Because a lot of mid-sized companies don't realize that frameworks that large companies use also can be applied to a mid-sized company. I'm referring to HIPPA, as well as the payment card industry standards, and the National Institute of Standards and Technology that provide ready-to-go frameworks that allow you to assess how your internal security department is doing in terms of their readiness to protect against the large scale breaches.

It's interesting in that the human side of this is so important. And I think one of the things that we learn is that when processes become inconvenient, they become dangerous, that people will take shortcuts if there are shortcuts to be seen. And so ideally, you want to devise secure processes that are convenient.

I once worked for a company where we used to let visitors come up-- I was working on the third floor, somebody would come in downstairs, we'd just say, "Send them up, come up the stairs." Turned out we were taking credit card information in another part of the building, and we really could no longer do that. We were supposed to go downstairs and physically escort that person upstairs as part of a standard about taking credit card information. Well, that was an inconvenience to us. It was just not what we were used to, and it didn't sort of match our ethos. So we sort of complied, but we didn't comply as well as we ought to have, and that was actually a vulnerability and a breach.

I'm afraid we're out of time for what could have been a discussion that could go on for an awful lot longer. A couple of key themes that I heard are-- it's important to understand your readiness. And I'd like to call your attention to a website that we've put up, a cybersecurity resource center specifically focused for mid-sized companies. The URL is cybersecuritycenter.middlemarketcenter.org, and there you will actually find an assessment tool, a PDF that you can download that just asks 40 questions to help you gauge your preparedness across people, processes, technology, and across prevention before, during, and after a cyber attack.

Hearing some important themes about recognizing the human element of cybersecurity and recognizing its importance, and that regardless of industry and regardless of company size, you and your critical assets can be and probably are in danger. And also the importance of preparation, of not only creating a good firewall and good technological prevention, but having a playbook, so that 200 days after you've been attacked-- when you discover you've been attacked-- you know what to do and don't have to invent a response right then and there when you're sort of in panic mode.

So with those thoughts in mind and that advice to you, I want to reiterate the URL cybersecuritycen ter.middlemarketcenter.org. I want to thank very much Dimitri Kuchynski and Vishal Chawla for joining us-- Dmitry from Cisco Systems, and Vishal from Grant Thornton-- for joining us with their expertise. Gentlemen, thank you very much.

And thank you all for listening to The Market That Moves America. Never miss a new episode. You can subscribe to the podcast on iTunes, Stitcher, Google Play, or wherever find podcasts can be found, or you can also subscribe and visit us at middlemarketcenter.org. Thanks very much.