EPISODE 9
Non-Technical Ways to Manage Cyber Risk

EP 9: Non-Technical Ways to Manage Cyber Risk

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

October 2, 2018

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, explain how you need to use people, process, and management (in addition to technology) in order to have reasonable cybersecurity.

Tags:

Episode Transcript

Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, Cyber Security Counsel at the law firm of Newman DuWors.

Kip Boyle: This is a show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities, and Newman DuWors, LLP. If you have questions about your cyber security related legal responsibilities ...

Kip Boyle: ... and if you want to manage your cyber risks, just as thoughtfully as you manage risk in other areas of your business, not just sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cyber security expert. You can find out more by visiting us at CyberRiskOpportunities.com, and NewmanLaw.com.

Jake Bernstein: What are we going to talk about today?

Kip Boyle: All right, today we're gonna talk about the non-technical things you should be doing to manage your cyber risks.

Jake Bernstein: Well, wait a second. Cyber risk, I thought that was all technical. What do you mean by non-technical?

Kip Boyle: Yeah, this is exactly why we're talking about this. Some executives that I've spoken with over the years think that cyber risk management means, for the most part, buying and installing a bunch of software and hardware products, and just letting the IT department handle that. While they're doing that, the executive forgets about cyber risk and goes back to their job until the next product refresh cycle, which might happen a year or two later.

Kip Boyle: That seems to be the common conception of cyber risk management. But you know, Jake, as just as well as I do that cyber security is a journey, it's not a product. In reality, there's quite a bit of recurring activities in order to have good a cyber risk management program, where you need to get your people, your processes, and your management involved, in addition to your technology.

Jake Bernstein: Can you give me an example of that? It seems really important, but also a little abstract.

Kip Boyle: Yeah. It's very abstract at this point. Yeah, so I've got a couple of examples that I think will help make this ideal a bit more concrete.

Kip Boyle: Let's look at something from the detect function in the NIST Cybersecurity Framework. What it says, and in question form, how well does your organization monitor for and detect unauthorized users? That references DE.CM-7.

Jake Bernstein: Wait, wait, wait. You just said DE.CM-7. That sounds like something in an instruction manual, or a industrial code, or even something that a lawyer would say. What does that mean, and where does it come from?

Kip Boyle: Yeah, all right. All right, I'm trying to make it easy and actually made it a little bit more abstract again. All right, so let's just roll back a moment.

Kip Boyle: The NIST Cybersecurity Framework, first things first. That was published in 2014. For anybody who doesn't know, NIST is an acronym and it stands for the National Institute of Standards and Technology. You might think that's part of the department of defense, but it's not. It's actually part of the Department of Commerce, here in the United States.

Kip Boyle: NIST is a really interesting agency. It does everything from cyber security, as we're talking about now, to things like what's the definition of a gallon of milk. How much fluid is in fact a gallon of milk, and when you pump gasoline, what does it mean to get a gallon of gas when fluctuating temperatures can change the amount of gas that you get? It's important crosstalk for commerce.

Jake Bernstein: Can they do a ...

Jake Bernstein: Yeah, and they define a kilogram and a pound, and all crosstalk that kind of stuff.

Kip Boyle: That's right.

Jake Bernstein: Yeah.

Kip Boyle: Yeah, yeah. Its standard measures, and we've learned that standards are a great thing to have. It really does enable commerce. By Presidential Order, NIST was compelled to temp to set standards around cyber risk management. They did something really excellent. Other organizations that have done similar things, sometimes convene a panel of scholars. They sit in a room for weeks or months, and they say, "Well what should people do?" And they build a standard.

Kip Boyle: But NIST did something different. They actually went out into the private sector and said, "Hey, we need to build this framework. Will you help us?" NIST really acted more as a facilitator or a coordinator of the standard, and the actual standard itself was written by industry, which is pretty amazing. In fact, it's a bit of a living document because NIST has continued to engage with industry, to try to figure out, "All right, we've got version one of this thing. What should the next version look like? What did we miss the first time? What could be better?" There's going to be some upgrades to it as we go along.

Jake Bernstein: Yeah. We discussed this before on this podcast. I believe listeners can go back and look at Episode Two or Three, where we discussed the NIST CSF, in conjunction with the Federal Trade Commission.

Kip Boyle: Mm-hmm (affirmative). Yeah, and if you decide to listen to us in future episodes of this podcast, I'm sure you're going to hear more about the NIST Cybersecurity Framework. The idea here, the goal of the framework, is to help organizations assess and improve their ability to identify, prevent, detect, respond and recover from cyber attacks. There's five high-level functions. Then there's about 22 activities underneath those five functions. Then at a third level of detail, there's about 98 third level items. That's how it's constructed.

Kip Boyle: That references that I have you, DE.CM-7, is the unique identifier for this example.

Jake Bernstein: Is it the third ... So that's the third level citation. It would be DE is detect, CM is ... What is CM?

Kip Boyle: Well I think that's continuously monitor.

Jake Bernstein: Continuously monitor, and then so -7 would be the seventh sub item under continuously monitor.

Kip Boyle: Yeah, that's right. That how you ...

Jake Bernstein: Lawyers ... Yeah, we like citations like that too. It's like how we cite to statutes, and cases, and everything like that.

Kip Boyle: Yeah. It turns out engineers and ...

Jake Bernstein: Engineers, yup. Engineers would do the same thing.

Kip Boyle: Yeah. Standards making people like it as well. I actually like it too because there's a lot of stuff in there. When I speak with a customer about what they need to do, it's great that I can just say, "Well here's exactly the part of the standard that we need to look at now."

Jake Bernstein: Yeah, that's helpful.

Kip Boyle: That's why I'm in the habit of citing it.

Kip Boyle: Okay, so you ready to continue with the example?

Jake Bernstein: Yeah, let's do that. So DE.CM-7.

Kip Boyle: Right. The idea here is that when user accounts are stolen or compromised, especially the powerful administrator accounts, typically this is part of an attack pattern, and that can result in a data breach or unexpected downtime for your organization.

Jake Bernstein: How does your cyber risk management program benefit from doing this well, the ability to detect and continuously monitor?

Kip Boyle: Right. Well this is super important because, and this is very simple I hope, the more quickly you can discover that you have an intruder, the more likely it is that you can prevent an already bad incident from becoming much worst. So that's inaudible [crosstalk 00:08:03].

Jake Bernstein: Okay, so I definitely want to be able to do that. What is the best way to monitor and detect unauthorized users into my system then?

Kip Boyle: Yeah. This is where we get back to this common conception that cyber risk management is some kind of a product that you buy and install. There certainly are many, many products that you can go and buy, and install. Some of them cost tremendous amount of money and require a lot of ongoing resources. A lot people think, "Well I need to do that, but that's so expensive. Maybe I need to go find a vendor to implement it for me. Or maybe I just need to outsource that." But what I like to say to people is, "Hold on. That's not your first stop on this journey." The first stop on this journey is if you have nothing in place right now, don't try to skip directly to some kind of a highly scalable, highly automated, extremely expensive tool.

Kip Boyle: You can start very simply. You probably have everything you need right now, or if you don't, you can get these pieces for not a lot of money. Your systems are already generating logs today, about all the different things that happen on them. All you need to do, in order to monitor administrator accounts, is you need to make sure that you're collecting the right data on when those accounts change, or those groups of accounts change. As long as you're collecting the right data, then what you need to do is you just need to look at that data, say once every 24 hours.

Kip Boyle: You can go get a very inexpensive product, or if you've got a highly technical person on your team, you can actually just use the Perl scripting language. You can export the logs on a daily basis, and you can write a Perl script that can automatically search through those logs, find any indication that your administrators group has changed, and then that can be put on a report. Now if you don't have anybody who knows how to use Perl, then you could go buy a product like Netwrix Auditor. That's spelled N-E-T-W-R-I-X. Netwrix Auditor. You go to Netwrix.com, you could find out about them. By the way, we get no compensation for recommending Netwrix, it's just we've had some really great experiences using that product.

Kip Boyle: But however you do it, what you want is you want to know when is my administrators group changing. In other words, are there user accounts coming into that group? Are the user accounts being removed from that group? Or is it changing in any other way? Anytime you see that it's changing, you want to investigate it, you want to find out, was it suppose to change? You have to do a little digging in the beginning when you start doing this. It's a little time consuming. But once you're doing this well, then one of the biggest indicators of compromise for all kinds of different attacks, you now have under control. It's pretty amazing.

Kip Boyle: From here, you can do other things too. For example, you probably have a payroll system and that payroll system has an administrator account on it. You could do the same thing. You could have a daily report that tells you how the administrators group and your payroll software is changing. Again, it can give you this alert that you're under attack.

Jake Bernstein: Something that ... It's interesting, we're talking simultaneously about how there's these non-technical things that you can do. But we're also talking about Perl, and scripts, and computer logs. But I think what's important to realize is that just because you have a tool, or a script, or logs, that doesn't mean you're doing cyber security, right? Someone has to exercise judgment on all this data.

Kip Boyle: Right.

Jake Bernstein: It's a lot like teaching a computer to spot the camouflaged animal in a picture. It's a lot easier said than done. A human can do it relatively quickly. We're actually particularly good at that. But my understand is that teaching computers how to do that pattern recognition is very hard.

Kip Boyle: It is [inaudible 00:12:37].

Jake Bernstein: This is the same kind of thing. There's all this data, and yeah there's some technical tools, but really what you need is you need someone who has judgment and knowledge to see that.

Kip Boyle: Yeah, that's right. That's where the people in the process and the management comes into play. If you go out and try to buy some kind of artificial intelligence or machine learning driven solution, and if your idea is, "I'm gonna look at everything and I'm gonna sort through everything, and I'm gonna look for every instance where somebody's doing something that I don't want them to do." I just think you're biting off way more than you can chew. It turns out, even the largest enterprises don't get this right.

Kip Boyle: A good example of that is Target, the retailer, and Home Depot, another retailer. As we know, they both got hacked and had tens of millions of credit cards stolen. In the retrospective, in the root cause analysis of what went wrong, how did somebody get in, and it turns out that their systems had in fact detected an intrusion. The problem was that they were searching on so much stuff that they didn't recognize the individual collection of alerts, the small, small amount of alerts among millions and millions of other alerts. They just didn't see it. They were trying to do too much.

Jake Bernstein: Yeah. Discovery of the problems is very challenging. That's good to know. How about one more example of what we're talking about here?

Kip Boyle: Yeah. Let's take a look at the recover function. Just to recap, NIST Cybersecurity Framework has five functions. We just looked at a thing that needs to be done in terms of being able to detect incidents.

Kip Boyle: Now let's look at recover. Recover is the last function. It assumes that if you've had an incident, you've detected it, you've responded to it, which means you've contained it so that the damage isn't spreading anymore. Then the last function is you want to recover from an incident. Let's take a look at one, and it says, "After a public data breach, how well do you manage your public relations to protect your organization's reputation?" The citation here is RC.CO-1.

Kip Boyle: Now most of us have never done this before. You've never had to manage your reputation after a public data breach, but that's exactly the point. With something like this, you cannot wait until you're in that situation to figure out what to do. It's such a pressure cooker, and you're gonna need experts, you're gonna need a plan. You may be listening to me right now saying, "Well how bad can it be?" Well I'm gonna give you two examples of how bad it can be.

Kip Boyle: The first example is probably one that you've seen, the complete dumpster fire that is Equifax's data breach, and their ham-fisted attempt to respond and recover from it. We've seen congressional testimony.

Jake Bernstein: That didn't go well for them, did it?

Kip Boyle: No. It went horribly for them. Here they are struggling to explain themselves after this horrific data breach, which they may be ultimately found to be negligent, but I have a hard time believing that the executives at Equifax explicitly knew that this could happen or would happen. I think that's what we're seeing here, is that they really didn't think it was gonna happen. So here they are struggling. Unfortunately, their situation just keeps getting worse and worse. We've seen some news reports in the last week or two.

Jake Bernstein: I saw that.

Kip Boyle: That there was actually even more data in the breach than they first let us know. I've got a whole separate presentation that I do where I break down the Equifax data breach into each of the five functions, and we explore whether or not Equifax had reasonable cybersecurity, or not. But I think we can all agree that Equifax is a case study in what not to do when you're recovering from a public data breach.

Kip Boyle: I want to give you another example, because I think this one's in some ways, even worse. In 2015, in the United Kingdom, there was a mobile phone company called TalkTalk. The CEO, Dido Harding, gave video interviews as she desperately tried to take control of the post-breach narrative about did TalkTalk behave reasonably? How did this data breach happen? What are they gonna do about it? It's painful, so painful to watch the CEO struggle to say the most basic things without news reporters twisting words, and taking things, and really making her life, and the lives of her employees and her customers super, super painful. I don't wish this on anybody. Just don't become these people.

Jake Bernstein: Don't do it. How does the cyber risk management program benefit the company, if they do this well? What's the value here?

Kip Boyle: Yeah, so let's talk about the business value of good recovery. We've got data, public data that's available in the public that was done in response to some research. It shows that when a public data breach happens to a company, they can lose up to 6.5% of their customer base in the weeks and the months that follow that public data breach. That's abnormal churn, which is to say customers leaving because of a specific event.

Kip Boyle: What's important is that you probably have what might be considered a normal churn rate. You've got people who stop becoming customers for all kinds of reasons, and you regularly have to replace them and then hopefully get more customers so that you grow. To lose 6.5% of your customer base very quickly after an incident like that, can be incredibly expensive to recover from. Why is that? Well because you're losing revenue. At the same time you've got to spend more money to acquire new customers. We all know that it costs more money to acquire a customer, than it does to retain them. In general, that's what's going on.

Kip Boyle: The business value of being able to recover should be clear. You're talking about top line revenue, and you're talking about ultimately bottom line because your expense are gonna go up. Not only the expense of acquiring new customers, but at the same time you're gonna be spending a ton of money just managing the data breach. You're gonna have to do notifications, you're gonna have to get some lawyers involved, you're gonna have to do digital forensics, you're gonna have to answer inquiries from state law makers, potentially regulators, federal regulators. It's not a good time and the last thing you want is a lot of customers leaving all at once. So it's just really horrible.

Jake Bernstein: Yeah. No, very much so.

Kip Boyle: But what's amazing and what we talk to our customers about is risk isn't just about all downside. There's actually good opportunities inside of risk. That's the whole reason why we have private enterprise. We're putting assets and risk and we're gonna make a good return on that. That's the goal.

Kip Boyle: So guess what? You could actually, if you lean into this risk and you do a good job at it, you can actually enhance customer trust on the backside of a data breach. How do you do that? Well through the transparent handling of the crisis. You might be thinking, "Okay, Kip. Great theory. How does that actually work?" Well, I have two examples.

Kip Boyle: Yeah, so in 2013 Adobe, which is the name of the company that produces Photoshop and a bunch of other creative software, they had a data breach. One of the things that they did really, really well is that they were quick to notify their customers of the breach. Because their customers had accounts in their systems, they actually sent out a series of password reset emails to let people know that there was a problem, and to give them something that they could do in order to protect themselves.

Kip Boyle: You know what, it must have worked because those actions, along with some other actions that they took, when people talk about the poster children for data breaches, I don't ever hear anybody mention Adobe. Do you?

Jake Bernstein: No. No, I wouldn't have even known they got hacked, actually.

Kip Boyle: That's right. They handled it so well that nobody even thinks about it anymore. You can go to Google News, and you can search, and you'll see many, many headlines. It wasn't like the news media cut them any slack. They didn't. It's just that Adobe was ready. When the time came, they did a masterful job at responding and recovering. Again, it had much more to do with people, and process, and management, than it did with technology.

Kip Boyle: I got one other example for you, which is Home Depot. Home depot got hacked just like Target did. Just like Target, Home Depot lost control of tens of millions of credit cards. Just like Target, Home Depot was in the news for a long time. But what's interesting is that even though both those companies got hacked the same way, through a third-party vendor, Target is over, and over, and over again held up as what not to do. In contrast, I don't hear Home Depot mentioned nearly as much. What's your experience?

Jake Bernstein: Not as much. No. I think I hear Target talked about far more than Home Depot, even though I think the Home Depot breach may have been technically larger. I don't recall if it was or it wasn't. But I think that ...

Kip Boyle: It was the same magnitude of breach. That's for sure.

Jake Bernstein: Same mag ... Yeah, exactly. No, now that I think about it, Home Depot ... People talk about Home Depot as having been breached, but when you talk about bad cybersecurity, or mistakes, or failures in this, you almost always hear something more about Target, or of course, Equifax, which I think is basically taking everyone else and just ... They're the clear masters of not handling a breach well.

Kip Boyle: That's right. Okay. We've talked it before on this podcast about the court of law versus the court of public opinion. Your respond and recovery efforts as an executive of your organization is going to say a lot, in both of those courts. The reason why Home Depot doesn't show up nearly as much as Target does is because why? Because they did a great job handling the incident.

Kip Boyle: One thing they did is even before they fully confirmed that they had a data breach, in other words, as soon as they suspected that they had one, they immediately notified their customers. They walked out the response and recovery from the data breach with their customers. They invited their customers to come along with them, as they continued to investigate, and continued to figure out what happened, what's the extent of what happened, how is that affecting everybody. They actually didn't suffer nearly as much as Target did, even though it was almost the same hack.

Jake Bernstein: Well it's fascinating. I think the lesson here is that contrary to what certain lawyers might advise at certain times, transparency is often the better course of action. What do they always say? It's not the crime that gets you, it's the cover up. Whether you're looking at Nixon and Watergate, or the current Russian investigation, the focus is always on not necessarily even what happened, but the attempt to cover it up.

Kip Boyle: Yeah. That's ...

Jake Bernstein: It's a lot like the same ... The same concept holds true for data breaches here, is that getting breached, it doesn't have to be a badge of shame. What do security experts say? There's only two types of companies in the world. Those who have been breached and those who don't yet that they have been breached.

Kip Boyle: Exactly. Exactly.

Jake Bernstein: It doesn't have to be this, "Oh my gosh, we can't say a word about it." Now it doesn't always hold true. It depends on the industry. But it does seem that you can get yourself in much bigger trouble just by trying to hide it or not doing a good job communicating.

Kip Boyle: Exactly.

Jake Bernstein: It's good to see that communication is its whole section under the recover function of NIST CSF.

Kip Boyle: Yeah, that's right. In the heat of the moment, most human beings don't want to talk because it feels embarrassing, you don't know what to say. You can understand why people are tempted to do the cover up. But if you've done some pre-planning for a public relations crisis like a data breach ... Of course, there's other public relations crises that you can find yourself in, so if you do pre-planning, you reach out and get a public relationships expert on your team, and it could be somebody that you contract with, it doesn't have to be an employee on staff, and you create the plan. Most importantly, and this is where the process, and the people, and the management really come into this is that you have to practice that plan. If you don't, then when you need it, 1) you're not gonna know where it is, 2) you're gonna have to blow an inch of dust off the binder because you haven't touched it for so long.

Jake Bernstein: Yeah, I know.

Kip Boyle: The thing to do is to practice it, like maybe every six months. You spend an hour with the most important people who are gonna execute on that plan, and you just remind yourself of what this plan is asking you to do.

Jake Bernstein: Yeah. You might hear that concept referred to as table topping. Do a quick table top exercise and often you hear that with incident response plans. But really, this PR component of recover is, or it certainly should be, part of your incident response plan.

Kip Boyle: Yeah. That's right. You want to be able to respond, contain the damage, and then you want to be able to recover, which is get back into business.

Jake Bernstein: Get back into business.

Kip Boyle: There's so many things, right? There's so many things you need to do, but today we just want to focus on this idea of what do you need to do in order to manage your public relations. In the midst of everything else, the wheels just flying off your cart, it seems like managing public relations would be the least important thing. Hopefully people who are listening now realize, no, it's an incredible important thing.

Jake Bernstein: Incredibly important thing. Yeah.

Kip Boyle: Yeah, exactly.

Jake Bernstein: Great.

Kip Boyle: All right. Well thanks everybody for joining us today on the Cyber Risk Management Podcast. Today we talked about the non-technical things that you should be doing to manage your cyber risks, and we've only really looked at two things. There's so many more things. We hope we've given you a good example of this.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport, and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. If you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk management program.

Jake Bernstein: You can find out more by visiting us at CyberRiskOpportunities.com, and NewmanLaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.