Saturday, June 15, 2024

Round table: Cybersecurity, changing landscape

Today’s economy lives on the internet, and the COVID-19 pandemic has helped it thrive there. Goods and services are sold and bought in increasing amounts, and more employees use it to work remotely every day. While that’s good, there’s some bad, too. Data breaches, for example, are growing larger and ransomware more powerful. And when those happen, businesses are often left holding the bag. What they can do with that bag, or avoid it altogether, is changing because of new laws and lingering effects of the pandemic. Business North Carolina and trade group NC Tech Association recently gathered a group of experts to discuss the current cybersecurity and privacy environment and ways North Carolina businesses and organizations can navigate it.


Brooks Pierce sponsored the discussion, which was moderated by NC Tech Association President and CEO Brooks Raiford. It was edited for brevity and clarity. This presentation reflects the personal views of the speakers in their individual capacity. It does not represent the views of their respective organizations or employers. The information contained herein is intended for informational purposes only and should not be construed as legal advice or a substitute for obtaining legal advice from an attorney. The information in this presentation is based on our current interpretation of recent developments and its implications on businesses. This is a very fluid area and thus further changes and variations in interpretation remain very likely.


The COVID-19 pandemic forced more people to work from home. What cyber security issues has that created?

CHU: Cybersecurity vulnerabilities are more pronounced than in the pre-pandemic era. It used to be inside and outside the company. That has blurred. It’s all the way to your home, too. We have technology that, in theory, can deal with these issues. But it isn’t always properly implemented. That exposes holes in the strategy.

COTTRELL: Home networks are now being used for work. There also is a physical security aspect. Employees are coming and going, maybe at the office a day or two each week. Your workforce may not immediately recognize who’s an employee, a visitor or someone who shouldn’t be there at all. We look at security risks such as tailgating, when an employee unknowingly gives an intruder physical access to a place of business. That likely will happen more frequently as employees see their colleagues less in person and more online.

COBB: Many companies chose connectivity and convenience at the expense of security at the pandemic’s start. They quickly gave access to customers and clients. They made technology changes, often without advice from a security expert. They may have tried to implement protections, but the pressure of survival forced them to cut corners. Many of those cut corners haven’t been fixed.

How has the increase in remote working affected the use or risk of ransomware?

QUICK: We’re not necessarily seeing new attack vectors for malware or ransomware. We’re seeing that people are more susceptible to some of the methods that have been used for years, for example, failing to recognize a suspicious email link while working at home. They say they were distracted — maybe their child needed something — or they thought it was from work. If you’re in an office and focused on work, you may be less inclined to click that link. It also seems the bad guys using ransomware are more patient. They gain access and wait for a critical moment instead of jumping on the first opportunity to shut down a system or extract data. I don’t know why, but I feel like I see that more. Ransomware also is much more than just ransomware. It’s evolving. It used to be ransomware locked you out of a device or system. Maybe you don’t pay to unlock it, because your great backup system can get you rolling again. So, you tell the perpetrators to pound sand. More and more ransomware also includes data exfiltration. So, when you say you’re not paying the bad guy reveals that they’ve taken a data packet, and they’ll put it on the dark web unless you pay.

COBB: We do quite a bit of frontline incident response. Ransomware is one of the most common that we encounter. We see evidence of attackers staying longer in systems, especially those that may offer a bigger payout. But in cases involving small and midsize businesses, it’s often a quick cash grab. The ransomware is deployed on a Friday afternoon, and you arrive to that pain Monday morning. It’s interesting how our culture views ransomware. These are businesses that are stood up, but we provide some legitimacy to the perpetrators. Everyone believes that you pay the ransom. They believe they’re working with someone who will keep their word. That’s not true many times. That interaction plays a role in  ransomware use, development and expansion.

D’ARRUDA: It’s definitely a problem. Home networks may lack security. Passwords may not be changed as frequently as they were in the office. We’ve had 361 reports of ransomware this year as of the end of September. We think that number is low. The first thing every morning, I review the breach notices that arrived overnight. At first, when ransomware started to be reported, few listed it because of how North Carolina’s statute defines a breach. Many people said entering and encrypting a system wasn’t technically a breach because data never left the system. Now there is exfiltration of data, and that probably makes most a breach, according to our definition.

How do you define reasonable security measures? What triggers breach reporting responsibilities?

D’ARRUDA: It’s definitely a problem. Home networks may lack security. Passwords may not be changed as frequently as they were in the office. We’ve had 361 reports of ransomware this year as of the end of September. We think that number is low. The first thing every morning, I review the breach notices that arrived overnight. At first, when ransomware started to be reported, few listed it because of how North Carolina’s statute defines a breach. Many people said entering and encrypting a system wasn’t technically a breach because data never left the system. Now there is exfiltration of data, and that probably makes most a breach, according to our definition.

CHU: We need to train security people. And we need to do a better job providing every information-technology person with an understanding of security. That will answer some questions about reasonable security. But we’re not doing that. UNCC has the same problem as everybody else. The curriculum is full. There are so many things that we need to teach, and security isn’t always seen as one. It’s relegated to a few courses. Many employees, even technical employees, have little security knowledge. They believe it’s for security people, and they add cost to a system. So, if your system administrators, software developers and managers understand security, perhaps you won’t need to spend as much on it. A consortium of North Carolina community colleges and universities, including UNCC, recently received a $2 million National Security Agency grant to establish a business center for cybersecurity. It’ll fund education and outreach activities.

COBB: Many small and midsize organizations and businesses, including K-12 educational systems, struggle with cybersecurity, whether paying for it or changing employee behavior around trusted and longtime business functions. Email, for example, isn’t a trusted communication platform. You typically can’t verify a sender. IT folks need security awareness for sure but so do frontline employees. That will make them suspicious, raising concern about things that seem out of place. We interact with organizations hit by ransomware.

Many don’t have an IT budget per se let alone a cybersecurity budget. We’ve seen resistance to implementing cybersecurity measures. It’s a struggle for companies who haven’t considered the risks and impacts of a cybersecurity incident. Many businesses, especially small ones, won’t survive one. The IT community needs to do a better job of informing business owners and managers about risks and impacts, so they can decide what’s reasonable. The first step is awareness training. Then maybe it’s easy to implement things that significantly reduce risk such as multifactor authentication, which, for example, would require a user to log in then enter a code sent in a text. We consider that reasonable. Attorneys can discuss liability around negligence — what you know, what you don’t know. Education is a key piece of protection, and we just don’t do a good job of it.

How can small and midsize businesses improve their cybersecurity position?

COBB: Technology, such as two-factor or multifactor authentication, is something we recommend at access points to services or applications. It’s easy to implement and reduces risk. But it isn’t a silver bullet. Many people believe antivirus software is sufficient, but it isn’t anymore. Attackers can overcome it. Consider endpoint tools such as endpoint detection and response or endpoint protection platform, which look at behavior analytics among other things. If you use these, make sure somebody is watching for their alerts. We’ve seen instances when red flags were raised but no one was there to take action. Preparation is one of the best things that a company can do. Leadership should discuss a response plan, which includes fulfilling legal reporting requirements, before an incident. The moments afterward, when everyone is flying around in different directions, aren’t the time to create one.

COTTRELL: There are many benefits from programs such as email testing and training. Vendors can implement them. They don’t require much infrastructure work from the business, and they pay dividends. Technology mitigating and blocking attacks is great, but if you haven’t trained employees to recognize a phishing email, then it’s all for naught.

QUICK: I wish I had a nickel for every time I discovered that a client never took away network administration rights from the administrative assistant. I don’t know how technical that is to do, but it’s a basic thing. Be careful who has administration rights and who has the ability to access data that they don’t need. It can make a huge difference in a bad guy’s ability to access your system or data.

Several states have adopted comprehensive privacy laws. What do they do and how do they differ from what’s on North Carolina’s books?

QUICK: Post-incident laws that require reporting after a data breach have been around in the United States for about 20 years. Those laws focus on what a company has to do to give notice after a breach but generally don’t provide any rights to control what data a company stores about a person. The first big law of that sort that effected U.S. businesses was the European Union’s General Data Protection Regulation because of its broad scope. Not long after GDPR, the California Consumer Protection Act was passed. It was the first comprehensive U.S. privacy law to give individuals the right to decide how their data is collected, corrected or deleted, and sold or shared. That’s a big shift. Virginia and Colorado have passed laws similar to CCPA. North Carolina is among about a dozen states that have or had similar legislation in the works. I look at this ever-evolving patchwork and help businesses be as compliant as possible. It can be a difficult task. But it often starts by asking where your business operates — not so much where you’re headquartered. There are triggers in the California, Virginia and Colorado laws, for example, that might apply to any client that’s operating beyond North Carolina. So, we’re looking at a broad set of laws. Beginning in late 2019 or 2020, more clients were trying to thread the needle by complying with respect to consumers located only in California or EU countries — i.e., only giving those residents the comprehensive rights. But now there’s more acceptance of applying the same set of privacy rights across the board. It becomes too difficult when you get an email from somebody in North Dakota and one from somebody in California, both inquiring what data you have on them and both living under different data handling requirements. It takes a lot of resources, often more than businesses realize and are willing to put on the table. There are solutions, but it’s still a process.

D’ARRUDA: North Carolina’s comprehensive law stalled. It may or may not return. More states are looking at comprehensive laws. As more states adopt them, it may be easier for companies to treat everyone’s data and information the same regardless of where they live. Companies may not want to do something different for each state. So, some states may see the benefits of a law without enacting one.

COTTRELL: We cross our fingers every day, hoping for a Federal Trade Commission regulation or federal bill before it gets out of control. The security breach laws across all 50 states and territories are similar. But comprehensive laws will start conflicting with each other soon. The Uniform Law Commission offered a uniform privacy law. It’ll be interesting to see how that progresses, and I think we all will be watching to see if states start picking it up. Virginia and Colorado’s comprehensive laws are more friendly to businesses. Some information, for example, isn’t necessarily connected to a ‘consumer’ as California has defined one. So, hopefully those states are the models that actually proliferate.

How does security and privacy differ between business-to-business and business-to-consumer interactions?

COTTRELL: The immediate concept of B2B is you’re working only with businesses, which aren’t people. So, you don’t have to worry about data protection from a personal information security breach perspective. In B2C, you might have a person’s information such as credit card information or social security number. But comprehensive data protection laws don’t necessarily distinguish between people and businesses. A B2B company, for example, may have more personal information, though not necessarily personal identifiable information, that falls under the scope of some state laws. Personally identifiable information, which is more likely in a B2C context, is more likely to fall under security breach laws, which include reporting obligations. B2B companies have to think about the business contacts and end-user data they collect and hold. If you’re selling to a distributor, for example, but collecting information about who’s using your products, then you could have personal information or data that’s protected under comprehensive laws but not necessarily personal information under security breach laws.

QUICK: I review vendor contracts, identifying obligations for companies that might hold data of our clients or B2B clients that provide a service to a B2C. We look at each contract’s language, reporting obligations and who they may have to indemnify if the breach is on their side. Data privacy and cybersecurity are issues wherever you are in that chain. There have been a number of incidents where I’ve had a client say, ‘Hey, here’s what happened. This service provider had a breach. They told me about it. What does the vendor have to do?’ I look at the contract, and there’s an ironclad indemnity, and they don’t have to do anything other than maybe tell their customer. That happens more than I wish. So, it’s important to know those relationships on the front end.

D’ARRUDA: There are several definitions of personal information. In North Carolina’s Identity Theft Protection Act, it includes a person’s first and last name in combination with other things. And a person can be an individual, partnership, corporation, trust or cooperative association. So, it can be B2B. When a company has information on a business, especially a small one, it could be using a social security number as a tax identification number. You may think you’re handling one, when it’s actually the other. One thing all businesses can review is their legacy systems: People store data that they don’t need on a server that they think isn’t connected. Then inevitably someone gets into it. People need to do a checkup, find out what they have, identify what they need and discard what they don’t. That way it’s not available for when somebody gets in your system.

COBB: Many companies don’t have a data classification policy, so they don’t know what data they have. Different parts of a business or organization do different functions. Sometimes security incidents or breaches are isolated. But if you don’t know what data was exposed, it’s extremely difficult to have legal discussions because you’ve added an unknown. Ensure your business or organization knows what data you’re working with and what data is important to you. Identify your crown jewels, especially intellectual property, that attackers may want and where it lives. That’s information that most organizations haven’t thought through but need to. 

For 40 years, sharing the stories of North Carolina's dynamic business community.

Related Articles