Businesses and organizations always have to be on their toes when it comes to cybersecurity, protecting their clients’ data and personal information, along with the computer networks that store them, from a breach. It has become a bigger responsibility as more of our lives — personal and professional — migrate online and to the cloud. The arrival of COVID-19 this past spring made it only more difficult as most people went to work and shopped more often from the protection of their home. Business North Carolina gathered a panel of experts in the field to explain how protecting important information has changed during the pandemic and how business owners need to adapt.
The event was sponsored by Brooks Pierce law firm and Accenture Security.
The transcript was edited for brevity and clarity.
The COVID-19 pandemic has forced more people than ever to work remotely. What cybersecurity issues has that spawned?
RAIFORD: The COVID-19 pandemic has affected businesses beyond their bottom line. They have had to change the way that they work and the way that they handle their cybersecurity issues. Many are equipping employees who had used a desktop computer with a laptop and sending them home to work. Some are using their personal devices, which raises many security questions. Depending on the company and its size, along with the role of the employee, that response is handled in different ways.
ROETHLISBERGER: I don’t think anyone will be very surprised about which issues have developed. We’ve all had many of these conversations, and the topics were discussed at last month’s two-day virtual North Carolina Cybersecurity Awareness Symposium, which was hosted by the state Department of Information Technology’s Enterprise Security and Risk Management Office. The biggest difference between working in an office and at home is that your security needs to reach further. The end user and his or her home workstation, along with your vendors, expose your periphery more. You have many users who weren’t working remotely before the pandemic arrived in March, which turned them into remote users overnight. We all have had to adapt by expanding or adding services. It has uncovered limitations that before were unknown. Systems have never been stressed to this degree, moving from maybe a couple hundred users to a few thousand quickly. There are studies, on top of plenty of anecdotal evidence, that show employees perceive home and office work environments differently. If you surveyed end users who worked in an office about best practices for cybersecurity, they’d give you different answers than those working from home. Working from home is a different experience; it’s easy to become complacent. There are things that we can do technically to improve security. But we must match all those with policy training and awareness, informing and reminding end users of cybersecurity’s importance. That’s even more vital at home, where they need to be more careful. If an organization or business doesn’t use a virtual private network, for example, and its employees are accessing data in the cloud through a pure internet connection, then any of the protections that come with a corporate network are lacking. We see that with partners and peers. They’re falling victim to malware and ransomware. It’s a real concern.
LaSALLE: All of those issues are compounded by how attackers are taking advantage of the crisis. Some recognize that online defenses are weaker for people working remotely, making them easier to target. Others are using the lure of clicking on pertinent information, whether that’s the latest local COVID infection statistics or an update on a vaccine, to gain computer or network access. The environment that we are defending has become more complicated. Attackers are focusing on that, too, which only compounds the problem. But there are some good things that have come out of it. More companies and organizations, for example, are embracing cloud technology. There aren’t enough resources in any to scale traditional services. So, they look to the cloud to get it done.
QUICK: I’ve noticed two issues on the back end of systems while helping clients resolve incidents over the past six months. Many companies have furloughed or laid off employees because of the economic slowdown that arrived with the stay-at-home orders given to halt COVID’s spread. Some of those unlucky folks were information-technology professionals. That means when I arrive on scene, there might not be anyone available to answer my questions. I’ve seen situations where the most senior IT person was gone, a move made simply because that position had the highest salary in the IT department. So, I ended up talking with a more junior IT employee, who was only there a few months and uncertain about how systems installed before his employment were configured or why they were set up a certain way. That information is vital to successfully responding to a data breach. Breach response is a partnership between those with legal knowledge, those with technical knowledge and company executives. You’ve got to have all three to make it work. I also have encountered challenges with cyber insurance, which companies purchase to cover costs associated with a data breach such as notifying customers and monitoring their credit. Some insurers have taken the position that their existing policies don’t cover incidents resulting from work-from-home. I’ve worked with clients whose insurer refused to honor the policy because a breach was initiated from a home network vulnerability. The policy covered the company’s network, not personal devices or home networks. The company had never had employees working remotely before the pandemic, and the situation wasn’t contemplated when the policy was written. It’s one example of something that isn’t thought of until it’s too late. But they do happen, so companies should consider them.
WALTON: Many other flaws that were never considered have been exposed by the pandemic. They can be on the business’ or client’s side. Rank and file employees who were just comfortable with technology before March didn’t magically get better in April. So, a lack of investment in training and technology in the past is having negative effects in the present. There has been much talk about moving to cloud services. Our clients don’t have control over all the vendors in that process, who have been experiencing heavy traffic since the pandemic began. We’ve had clients attempt to get large amounts of data out of cloud storage, for example, and we just couldn’t get it. So, when you do move data outside, you must consider how quickly it can be accessed if there is an emergency.
THOMPSON: The pandemic has put many constraints on budgets. They have been caused by less revenue to work with and shifting resources to more immediate needs. Add to that the fact that everyone is dealing with more cybersecurity issues, including strengthening their security posture, especially in a busy teleworking environment. That creates a dynamic: More security is needed, but there isn’t always the funding to support it. That’s happening in peer states, and it’s a concern even at the local government level.
RAIFORD: That’s probably true across the IT industry, because government is needing to provide many more services remotely, so its residents can take advantage of them without going into an office and risking spreading COVID or being infected. They have to meet that need.
Contracts with other companies or vendors often include security assurances. Should you ask for reaffirmations of those points in light of the pandemic? If so, what’s the best way to approach the subject?
THOMPSON: The state’s credit crisis management team actually discussed this when the pandemic first hit. Identify your critical applications and the vendors that support them. You have to ask how they are being secured. Will the vendors validate what they are doing and is there resiliency built into their systems? Do they have the resources needed to surge in order to support your growth? Part of the state’s procurement process is a continuous monitoring program, a risk management process, that requires vendors to attest their compliance, such as following best practices and that they’re meeting our security requirements, once a year. It’s something near and dear to me. Recently, a vendor partner was hit by ransomware, software that locks or exposes data until or unless, respectively, money is paid to the attacker. Its impact was huge, not only because it was statewide, but it was countrywide. And there have been other examples of that happening in North Carolina. In March, the city and county of Durham were hit by hackers using a phishing email. And ransomware set loose on the first day of class caused Haywood County Schools to close for a full week in August. My peers and I have discussed how can we get more transparency from vendors during a ransomware situation. North Carolina isn’t perfect, but something that we are working toward is making the process around how we do our vendor management in situations like that more standard and repetitive.
QUICK: It’s important to review your situation, especially when events, such as the pandemic, change the world, to see how your policies are holding up and your vendors are working. Even if you don’t have the bargaining power of the state, for example, which many of the small businesses that I work with lack, it’s worth asking your vendors about security and response. You might not always get the answers that you want, but the fact that you’ve asked and documented that you have asked can be a great defense if a vendor suffers a cybersecurity incident in the future. Even if they don’t make a change after you have questioned something, you at least can show that you pointed out the issue and followed a process. That’s important for businesses of all sizes.
ROETHLISBERGER: It really comes down to continuous improvement. None of the organizations that we normally deal with are considered ‘greenfield.’ They aren’t starting today, so they can’t make everything perfect. They must deal with the consequences of what they did yesterday. They have vendor and customer contracts, business relationships, connections and data exchanges that have been underway for years if not decades. Some may not know what is happening in the background of their computer systems, to be honest. So, it’s important to be constantly aware. Keep your antenna up, detecting developing challenges, and re-evaluate how you’re handling vendor relationships and find ways to improve them. Never assume that today’s solution will last forever. At the very least, review your policies and procedures, fine tuning and improving what you can, such as language in contracts or requests for proposals, once a year. Keep notes through the year, detailing lessons that you learned and issues encountered. It will make that task easier.
Has the pandemic raised any legal questions connected to cybersecurity and digital privacy?
WALTON: At the end of many contracts, there are several clauses that are often seen as boilerplate. One of them is usually the force majeure — act of God clause. Are those types of defenses coming up in cybersecurity cases? Is COVID being invoked as an act of God? I’m not currently practicing law, so I don’t see that first hand. It’s an observation.
RAIFORD: North Carolina Technology Association signs venue contracts for big events a year in advance. That’s routine business for us. When the pandemic arrived, some that we signed with were flexible, allowing us to push our event to next year. But one, owned by a company that does business worldwide, wasn’t agreeable to a date change. So, there was the force majeure clause. They claimed that COVID was a pre-existing issue, so when we contacted them to cancel or postpone our event, that was used to nullify the force majeure clause. The law firm that represents us wrote a letter back, and the venue caved. There was no further pushback. I was shocked. It’s important to have access to legal support. Government agencies have access to attorneys, the attorney general’s office and other resources. In the private sector, larger businesses have inhouse security teams, maybe inhouse counsel, too. They have access to high quality external counsel at the least.
QUICK: Force majeure clauses are attracting attention in all types of contracts. I have yet to personally see that standard provision cited in the privacy and cybersecurity arena, but I wouldn’t be surprised if I did see it in the context of a company’s unexpected shift to work-from-home resulting in system breach. Everyone is saying we couldn’t have expected that our employees would be sent home in a week’s time as an excuse for failing to maintain appropriate cybersecurity measures. One concern that I have about trying to use that line though is with the timing. It might be reasonable to expect cybersecurity disruptions within the first few weeks of the pandemic, but that likely isn’t the case anymore. We’re six months into this, so companies should be planning and getting a handle on how to secure their systems. I would be more cautious of trying to rely on the unanticipated and swift onset of the pandemic the longer that we’re in this.
Businesses and organizations, regardless of size, need cybersecurity. What advice do you have for small ones, where resources are often limited?
WALTON: Whenever we’re cold called by a third party, which could be an individual or business, the first question that we ask is if counsel has been contacted. There are reasons that you would want to maintain privilege over communications and other information if an investigation is active. Rightly or not, when there is an issue, especially one that may require disclosures, such as a data breach, or may result in litigation, we are overly cautious. We tell them to call a lawyer, then call us back. Sometimes they choose to move forward with us. And sometimes they pull back on the reins and go through counsel first.
QUICK: It’s almost always cheaper to talk with a lawyer on the front end of an issue than on the back end. We all know small businesses have budgetary limitations, but shoring up issues with someone who has the capabilities to advise on how to set up systems and policies before they happen will put you in a better place for the long run. Many times, you can receive this help through a trade group such as NCTA. They host presentations and webinars that tackle the concerns that you need to ask about. You don’t know what questions to ask if you don’t understand the issues. Clients can be reluctant to have me do a full risk assessment on their company because it comes with a cost that they aren’t willing to bear. They are willing to ask me about certain issues and have them addressed on an individual basis. But they usually only know to ask those questions if they are keeping up on new developments themselves.
LaSALLE: I come at this from a service provider’s standpoint. The first thing I’d say to a small business is don’t go it alone. If you’re trying to figure out how to run your network, PCs, cybersecurity and digital footprint, it will be really difficult unless you have the help of specialists or are a company that’s native to the technology industry. So, you should get help. A friend of mine is part of a family medicine practice, which has three doctors, a receptionist and support from an IT team. That team had the practice’s back when it was hit by ransomware. There were clean backups, for example. They had all the rigor that comes with a large enterprise, even though they were a small office. There are some really great groups out there, including NCTA and Cyber Readiness Institute. The latter has a cyber hygiene program that is low cost. It’s about practice not investment in technology. Its recommendations include using the password manager on Google’s Chrome web browser instead of relying on easy to remember — and hack — passwords. After you put that program in place, your people are harder targets, making your entire process more resilient to attacks. All it requires is intention from the business’ leadership to do it right.
ROETHLISBERGER: Small businesses should reach out to professional or industry organizations. Many have co-op programs that allow you to share services — legal, cybersecurity and others. And while it may be hard to hear, especially for small businesses, cybersecurity is a cost of doing business. You have to budget for it. If you can at least install best practices, you’ll be in a better place than reacting after something has happened. And, if something does happen, recovery will be closer at hand.
THOMPSON: Small businesses have other options such as a virtual chief information security officer. You get consultation from someone who can come in and help craft your security posture, mapping out a future for your business or organization as it moves to the next level, without having to pay all of that employee’s full-time salary. And take a data-centric approach to your organization or business’ cybersecurity. Focus on the data more than the infrastructure. Identify what needs to be protected, because that’s the bread and butter of your organization.
How has the pandemic affected the collection and storage of data?
QUICK: I agree; it’s important to take a data-centric approach. Don’t simply ‘Hoover’ up data. That old-school approach was to act like a vacuum, picking up every byte of data that you could. No one knew at the time which data was going to be useful for what, and that’s the heart of the problem. Data can be used for many beneficial things. But there are many bad uses for it, too. You might want to collect highly sensitive data such as Social Security numbers, driver’s license numbers and credit card information. But there’s risk with that, because it’s the data that makes you the most susceptible to data-breach laws throughout the country. And in almost every state and country that has any sort of privacy effort, most people agree that top-level data needs to be tightly protected. There are more issues coming down the pike. We’re looking at changes in laws that govern biometric data, those behaviors or physical traits that can be used to identify an individual. If you have clients in California, for example, and you meet certain thresholds, a new law there — California Consumer Privacy Act — will apply to almost every level of data that you collect. If you have a customer’s name and address, which is data that won’t be a problem in most states, it could be an issue in California. Conforming to new regulations can be easier for a new business that integrates data planning from the start. It can be much harder for one that’s been around for 50 or 100 years and never thought about these issues before. If you’ve been storing client data in printouts in a backroom file cabinet for 50 years, then you probably don’t need it. Take time to find it, remove it if possible and secure it if not. Maybe all your employees aren’t engaged in their normal tasks because of the pandemic, so maybe they have time for this work.
WALTON: Our clients fall into one of two groups. Those in the first are taking advantage of the pause created by the pandemic to do data analysis. The others are struggling to survive on at least some level. So, identifying the data that is collected, or which dormant server it has resided on the past five years, isn’t a top priority for the latter. And it won’t be until they have a breach. We also see the other side, where privacy is always a concern, but it’s not the most important. One of the top things that we tell clients is dispose of any data that you aren’t using. It could be a spreadsheet full of numbers or data stored on an older server that’s accessed maybe once a year on a whim. And many people have been laid off recently. Some of them are starting new jobs. Employers need to be mindful of what their new hires are bringing into their business. We’re seeing litigation on that issue, where the old employer’s confidential or proprietary information makes its way into the former employee’s new company. And like COVID, once it’s there, it’s very hard to get it out.
LaSALLE: If you don’t need the data to run your business, then don’t collect it in the first place. That goes hand in hand with getting rid of what you don’t use. In many small businesses there are enclaves of data, such as when an employee carves off some of a spreadsheet to do his or her job and leaves it, or the rest of the spreadsheet, sitting on their computer’s desktop. It goes everywhere, and it’s on everyone’s desktop computer or it’s on their laptops. It requires a little attention, education and uplift of your people to make sure they recognize potential issues and eliminate them. A lot of privacy regulation is tied to a customer’s or employee’s location, not where the business is located. So, if you’re doing more digital commerce because no one is coming into your brick-and-mortar store anymore, and you create an online footprint that extends out of state, you’re now collecting data that is subject to somebody else’s privacy regulations. Privacy regulations in more than 25 states nationwide are in the works right now. It’s not the job of a small business to adapt to all of them. But if you can restrict data collection to only what’s needed to service your customers, then you’re going to be better off when different values are applied to your data in different places. Some data records might cost you a couple hundred dollars if you lose them. Others will cost much more. Health records, for example, have an open-market value of a thousand dollars per record. You may become more of an interesting target to a criminal because of the data you possess. You have to be cognizant of that, too. And that may give you a target of where to focus your protection resources.
THOMPSON: Think about data disposal. Data ages out at some point, so what does your data retention schedule look like. It’s a journey into the world of privacy. We will see the adoption of more privacy rules. There are a bunch of them already in the works, including in North Carolina. Some may adopt more of the flavor of the General Data Protection Requirements, which governs the collection and use of personal information in the European Union, depending on the state or states that you’re working in. That will create more and more issues for small businesses. How do you allow someone to opt out of having their data collected? If you can’t answer that question, you might not want to collect the data in the first place.
RAIFORD: Even my organization outsources its IT management. We have a rule that nothing is saved to a work laptop, which all of our employees use. They can’t download even something as simple as a recipe list, Word document — nothing. And we have two good reasons. If that laptop goes missing or an employee leaves under bad circumstances and you don’t get that person’s laptop back, the policy eliminates any chance for data escape. We continuously monitor for policy adherence and remind our staff of it. Our employees are of different ages, from their 20s to their 60s and every decade in between. Each has a different level of knowledge and comfort with technology. Often a younger person is more OK with giving up data or personal information than someone from an older generation. We see that variation elsewhere, such as knowing what happens when a document is downloaded. Some never look in a download folder, failing to realize how much data is there, even if they have saved or used the wanted information elsewhere. Having clarity among employees about what they can save, how to save it and how to get rid of it, especially in a remote working environment, where it may be tempting to quickly save items to the clipboard or desktop, is an important message, especially right now.
ROETHLISBERGER: While many states and countries are developing privacy legislation, it’s unknown if the federal government will create some. That’s probably likely at some point. The real question is which of the ones that are enacted will be considered the high watermark, the one all others are measured against. No one has a crystal ball to see that future, so small businesses need to leverage their memberships in professional or cyber organizations, asking their professionals for guidance. If you review five that are now law, a cybersecurity professional should be able to tell you, based on the type of data that you use, what would be the most likely worst-case scenario as far as classification and handling. That will give you something to shoot for, putting you in a good position, at least for the foreseeable future. Some of that might be superseded by compliance for such things as the Health Insurance Portability and Accountability Act — HIPAA — or IRS Publication 1075, which lists requirements for keeping safe federal tax information. So, you really have to pick the ones that make the most sense for your business. And remember that some of the definitions or even the industry best practices can vary, depending on the legislation.
Does moving the data that you’re responsible for into the cloud keep it safer, especially when so much of it is currently being accessed remotely?
LaSALLE: One thing that many businesses can do, regardless of size or resources, is move to the cloud. It offers many controls that help with security and data protection. But they have to be correctly configured, or it’s a great opportunity to let data get out the front door. We’ve seen that in health care, for example, where 51% of organizations don’t follow FDA guidance on even the simplest things that will make their data more secure. And they’re moving it to the cloud at a rapid pace. That’s the one thing a small business can’t do alone. It needs help. And make sure you give appropriate notice to your clients if you move your data or functions to the cloud. Review your existing contracts to see if that runs afoul of any of them.
THOMPSON: When I discuss cybersecurity and privacy, one of the things that I caution state agencies, local governments and others is don’t consider the cloud as a way of transferring your risk. That risk still resides with you as a business owner. That data is yours regardless of where you put it, and you are liable for it. Make sure that if you are taking it to the cloud that you do so in a secure way that you understand. You need to know who’s looking at that data, who’s monitoring it and if something goes bump in the night, who’s going to be called to fix it. You still need to ensure that you’re doing the same things that you would if your system was on premises, which is to make sure it’s patched and make sure that you know that you have security and oversight.
ROETHLISBERGER: When a company or organization moves its data to the cloud, sometimes it overestimates the security that comes with it. This gets missed more often than you would think, even though we call it out all the time. A vendor may tell the customer that it meets a long list of criteria, and it’s doing all the right things. But what it’s talking about is its environment, not what the client deploys within that environment. That’s an important distinction. You can’t assume that just because your cloud vendor is doing the right things that what you move into the cloud is appropriately configured for it. It’s a double-edged sword. I believe that for small businesses and organizations, which typically don’t have deep IT experience, the cloud is probably a safe choice from a foundational perspective. But you still have to do the right things with your systems that are moving into the cloud.