••• SPONSORED SECTION •••
Today’s global economy relies on data shared and stored through cyberspace. North Carolina businesses — large and small — have long known the importance of maintaining the physical property they own and protecting against intruders, potential theft and other acts that could cause issues within the company. Emerging from the age of COVID19, employees working from home pose even more challenges. Add to that, the effects of recent cyber-attacks on businesses and organizations across the country make cybersecurity an even more important topic for all N.C. businesses.
The discussion was moderated by NC Tech Association’s Brooks Raiford. It was edited for brevity and clarity.
More companies and government agencies are victimized by ransomware. What are the ramifications for N.C. businesses and organizations?
RODGERS: One thing that we need to start with is the state has issued an edict that no state agency may pay a ransom at all. (North Carolina is the first state to do this.) All of these schools and agencies are really going to have to get with it when it comes to incident response, and, most importantly, the backups in making sure they can restore their systems so they aren’t down for very long. I think that really is the key. They say that there are two groups of people, those who have been hacked and those that don’t know they have been hacked. You have to assume that you have been and you have to act accordingly, and that means good preparation and making sure you have a good incident plan in place. The last thing you need is for everyone to act in a n uncoordinated way. When you have press come along they typically interview the person who doesn’t know anything and the person typically says something they shouldn’t. Everyone in your organization needs to understand how to respond and who is supposed to talk and who isn’t.
Typically with ransomware you are going to have to get the FBI involved. And at that point you are going to need an attorney. So you are going to spend a lot of money. I just read an article about a school in Connecticut that was the victim of ransomware. The outcome was it cost them about $500,000, and about $350,000 of that was unnecessary. Had they done everything upfront that they ended up having to do in a very short period of time, it would have cost them about $150,000 over the course of the year to get where they needed to be. So that tells you something. You need to be prepared. It’s coming. Just get ready for it.
RANDALL: I know of one incident in the last year or year and a half with one of our other community colleges. It was hit with ransomware. It took their entire system down. It didn’t just cost them their emails, it cost them their curriculum. Because when it shut their system down it took down their learning management systems, it took down access to all their courses. You didn’t know where your students stood in regards to their courses, who had submitted what and what grades they had when the system went down. They were pretty much stuck until they could get to some backups and be able to start rebuilding. All their instructors had to start rebuilding their courses.
STERNSTEIN: There is a lot of pressure for organizations to pay and the criminals know this. We’ve talked about companies paying to get their lives back. More and more recently criminals are trying to tell companies that if they don’t pay they are just going to release all their data, too. That adds additional pressure on companies to want to pay in order to get their files back. Paying doesn’t mean that everything is going to go back to normal.
We had a company that reached out to us a year or so after a ransomware attack. They paid the ransom and a day later they got hacked again. The criminals claimed this was a completely different criminal group that did this. Just because you pay doesn’t mean you are going to get all your files back and not get hacked again if you don’t do the correct incident response and figure out how this happened in the first place.
KESLER: Building on what Jon said, when you’re making a decision to pay a ransom, you are dealing with criminals. You can’t assume a criminal is going to give you your data back. It’s quite possible they can’t even give you your data back. And going back to what Laura said, preparation is really key. Doing things like simulated exercise, tabletop exercises and walking through the scenarios and understanding how your organization might be impacted if you lost those systems. And, by the way, that can bring benefits beyond just ransomware attacks. You can have a natural disaster that can render those systems unavailable. As an organization, you need to be spending the time to understand how you depend on those systems, what you do if you do lose those systems, and how you can recover that data. Do you have backups and have you tested your recovery procedures? We all know paying a ransom should be a last resort and that we shouldn’t negotiate with terrorists.
What has been the impact of the shift to work-from-anywhere on security for employees’ devices connecting to a corporate network?
KESLER: Prior to the pandemic, many companies, especially cloud-native startups, were beginning to adopt the “heading toward a model toward the “zero trust” network architecture model, and I think the move to work-from-anywhere has accelerated that model. Traditional network security models tend to be heavily based on the idea that access originating from corporate networks could be trusted, and for companies using that approach, remote work tends to create higher risks.
Zero trust turns that on its head by assuming that no network can be trusted, and instead focuses on using strong authentication methods to verify user identities and that access is originating from devices that meet an organization’s security requirements. So it becomes less important as to what network users are coming from and it gives you more flexibility whether you are sitting at home or sitting in a hotel or sitting in an office.
For companies that were already using zero trust, the shift to work-from-anywhere was a non-event, and I think many who weren’t have struggled to adapt.
RODGERS: For organizations where employees primarily work on site, they all of the sudden had to develop policies and procedures to handle everyone working off site. I saw many companies struggling with “I don’t even know how to start telling people what networks they can use and they can’t use.” I saw a lot of things come out a year after we were all working from home. It took them that long to get a handle on: “What we can and cannot do. If it’s an employee’s device how can I tell them what they can and cannot do for work? ”
One of the things we really got a handle on with COVID is we really got to think about all the risks out there and how we need to have something in place for every one of them whether for a natural disaster, or another pandemic, a ransomware attack. This is the time you have to sit down and really brainstorm all the things that can go wrong and have a good plan for each one of them. Right now everything is fair game. If you’re not ready you are going to be left behind and you’re going to have some big problems moving forward.
How have security issues changed your curriculum and teaching strategies?
RANDALL: I’m the department chair for IT and we have changed our program of study from security. We now strictly focus the program on cyber. Our networking technicians and web developers are both using cyber courses as well so our students are well rounded and they are looking for all that can go on.
When the pandemic hit, my department was ok because my students were already primarily online. My students were okay, they are the gamers that stay up all night. We had a lot of traditional instructors, they didn’t know what to do. The business office, they’ve always worked from the office. Different VPNs (virtual private network) had to be set up so they could work remotely securely. In my department we really make sure they know security is a big thing. We have two factor authentication on campus. The different third party software we use to teach with, they all have a focus on encrypting your data as well.
We’re trying to make sure we get the word out. We are trying to put information out locally on C-19 the our TV station we have here at the college we do a “cyber moment.” We are trying to educate the public on how important this topic is. We’ve got to keep everybody’s data safe.
what are some of the new rules or best practices for collecting, storing and using personal information?
KESLER: I think the EU’s General Data Protection Regulation, or GDPR, which went into effect in May 2018, has set the bar for data privacy. Even though the GDPR is focused on protecting the data of EU residents, many subsequent national and state-level privacy regulations, such as the California Consumer Protection Act (CCPA) follow many of the same principles. It A lot of the states have similar legislations geared around protecting the privacy of individuals. It boils down to a few main concepts. One is making sure organizations have the legal right to collect and store that private information they are getting. Another is making sure you are following industry practices around protecting data. You also need to be able to address the basic requirements of removing personal data upon request, providing an accounting of who accessed personal data, correcting errors in that data, and not selling or sharing that data without the user’s express consent.
It is certainly getting more complicated with more states and more countries creating their own privacy regulations, but from my perspective, the work that we have done to be compliant with GDPR puts us in a pretty good place for meeting any new requirements from other jurisdictions.
RODGERS: One of the best practices now is to not get any information from a consumer or anyone else that you don’t need. For the longest time it was: “Get all the info you can get because you might not know if you would ever need it.” We collected a lot of info that didn’t really need to be collected. Now it’s shifting more to getting only information for that purpose and nothing more. If you don’t have a legal need for that data you shouldn’t be collecting it.
KESLER: Laura has made a great point here. Culturally speaking, companies are often thinking: “We might need that data so let’s get it just in case.” With an increased focus on privacy, having that extra data dramatically increases your risks.
STERNSTEIN: You have to know all the data you have collected and know where it is stored. And minimizing the data is something that’s highly crucial these days. We see companies all the time collecting way too much information that they do not need.
How often should policies and procedures for Privacy and Security be reviewed? Who should be part of the process?
RODGERS: Yearly at minimum. If you have an incident, you would have to review everything at that point. This is one of those jobs nobody likes. What I prefer is reviewing policies and procedures on a rolling schedule. So you’re not confronted with this monster job at the end of calendar year or fiscal years.
As far as who should be part of the review process, the data owner certainly has to be there. A lot of people think of IT as the data owner. They are helping process the data to get where it needs to be, but are not the data owner. If you look at these policies and procedures there may be a need to purchase another tool so then you need finance reviewing the documents as well. If you don’t get everybody in on this decision and working together, the decisions you make will not be optimal at all.
STERNSTEIN: In addition to that, I would highly recommend you review your policies if your business changes. If you are expanding to a different market or collecting different types of data than before.
RODGERS: For those of us who have kids, before you had kids you got to do whatever you wanted to whenever you wanted to. Whenever you have a baby, every single decision you make going forward you have to look at what the impact is on that baby. Cyber and data privacy are your new baby now. Whatever changes, whatever you do, you must think of what the impact is on cyber and data privacy first? You can’t wait until the end and
slap it on. You have to think of it in the beginning. Cyber is your new baby. ■
PLANNING FOR THE INEVITABLE
As cyber attacks become the norm instead of an occasional headline, having plans and policies in place is crucial. Attorney Will Quick, a partner at Brooks Pierce in Raleigh, helps companies of all sizes in all industries that are experiencing cybersecurity incidents with the investigation, response and notification process. This often means coordinating efforts across multiple states. The board certified specialist in privacy and Information security law has expertise in assessing regulatory obligations and developing privacy compliance programs as well.
What has been the effect of recent ransomware attacks on various businesses and organizations?
Ransomware attacks have exponentially driven up the cost of incident response, including the cost of cyber insurance. Typical ransom attacks now include both system encryption and data exfiltration. When you are hit with one of these you have to get back up and running, figure out how the bad guys have gotten in and close that gap. You also must determine what data might have been exposed and what your obligations are related to that data. Those are costly processes. I try to get clients to understand that investing in cybersecurity measures, data mapping and redundant backups on the front end is going to save a lot of headaches and money when a ransom event happens. As an added bonus, these efforts up front can also help to bring down the cost of cyber insurance.
How often should companies review their privacy practices and related policies?
This varies from industry to industry and company to company, but I think an annual review is a good starting place. Just as important is having someone in the company or a trusted outside advisor who knows your business keep up with changes in data privacy laws so that you aren’t caught by surprise when the law changes somewhere you do business.
What and who should be involved?
It’s important to have a multi-disciplined team involved in creating and updating privacy policies. Certainly legal and IT, but marketing , HR, accounting and management all have roles to play. Really any department that holds personal information about consumers, employees, or business partners or other sensitive company data needs to be involved.
Why is it important for companies to periodically review and update their privacy practices and related policies?
The data privacy landscape is constantly changing. In the past year, Connecticut and Utah have passed comprehensive consumer privacy laws. In 2021 it was Colorado and Virginia. These all come after California’s CCPA in 2018, which was expanded by the CPRA in 2020. More will follow. While implementing solid privacy principles can go a long way towards satisfying multiple laws, there are slight variations that require tweaking on the margins. ■