S3 #01 Protecting your brand in the ransomware era

[00:00:00] KRISTINA: Welcome to the first Power of Digital Policy podcast for season three. Can you believe - season three?

[00:00:07] INTRO: Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

[00:00:23] KRISTINA: Thanks for joining me on this journey where together we explore the balance of risk and opportunity and how to best enable your organization and digital workers by getting your digital policy correctly defined. One of the areas we've seen in the headlines regularly is security and ransomware. It's a tough area with a constantly evolving strategy and, therefore, policy to learn more. I spoke with Brian Spanswick, a chief information security officer at Cohesity. Ryan brings 20 years of experience managing IT and cybersecurity organizations within high-growth companies while also providing consulting services for large globally dispersed blue-chip enterprises. His leadership is pivotal and advancing core business operations, accelerating digital transformations, and building cybersecurity protocols that secure company, customer, and employee data. Let's tune in and listen to the insights which Brian shared:

KRISTINA: Amid rapid attacks that we're seeing in the daily headlines detailing the breaches, obviously businesses are caught in this really hard place between sort of do they pay or do they suffer if they're faced with a ransomware situation, are more businesses choosing to pay these days. What are the biggest drivers you're seeing in the decision-making process?

[00:01:40] BRIAN: Yeah, it's a tough question for sure. And one that each company really does have to consider based on their specific situation environment. I talked to my peers in Silicon Valley; the conversation came up a lot. And it's understood that if you pay, you're continuing to fund these organizations; you're continuing to fund these kinds of attacks.

But the trick is how do you put yourself in a position where the decision isn't as hard as it appears, meaning that are there things that the security group is investing in that minimize the impact of these attacks and then take them the option of paying off the table.

[00:02:16] KRISTINA: So that's interesting because even with the best of security, it seems like cyber events are likely to happen. An organization's going to face something sooner or later. Is it a ransomware battle that we've lost?

[00:02:26] BRIAN: Ransomware is not about all that we've lost at this point. I think historically what we've done is really focus on the protect controls, trying to prevent the breach that leads to ransomware, and we should continue to do that. And one of the reasons you're seeing such an increased proliferation of ransomware attacks is it goes after the or where the companies are most vulnerable, and that's through social engineering, things like phishing attacks, they're the hardest to protect against because it's that human behavior variable, that's difficult to lockdown. It's a company should certainly have a fishing program, should be educating and training their employees to be able to recognize and know what not to do in those situations. But I think what you're seeing in the last six, 12 months, especially as these attacks have become more pervasive, is companies starting to not just invest in preventing the attack but also investing in minimizing the impact of it. So historically, it's been difficult to have strong RTO and RPO targets, how quickly you can recover from your backups and what time you recover from. And more companies are looking at that option to minimize the impact of the ransomware attack so that you aren't held hostage to those demands from the attacker.

[00:03:42] KRISTINA: So, let's talk about that for a moment. It seems like a lot of organizations don't have a clue right now about what data they have. So how do they know if they're in a ransom situation if they pay that they're going to receive their data back, or how do they know what even what they've lost, does it matter? Do consumers want to know?

[00:03:58] BRIAN: Consumers certainly want to know it; our survey showed that consumers are very much aware of this threat out there and absolutely are thinking about what the potential impact is to their organization or to themselves, for the organizations that they interact do business with. The challenge, you're right, it's hard for companies to know where all their data are. There's a good place to start when you look at your core business processes and start to lock down the data that's associated with the systems that execute the business within the organization, that's where the ransomware attackers are going to be most focused because that's where they can disrupt service. So, in these ransomware attacks, there are two approaches for them to exploit the needs from an organization. One is from holding the data captive, not so much stealing it, but making it not accessible by an organization, therefore really stopping their internal business processes. And the other is stealing the data and threatening to sell it. But I think it's more common from these ransomware attacks, the ladder situation. So with that understanding, you can start to lock down and focus on protecting the data associated with those core business processes.

[00:05:14] KRISTINA: What are some of the best practices that you're devising organizations around that? Because it seems like there's certainly a struggle in terms of how do you lock down, how much of a lockdown do you really need? What's good enough? What's too much.? What's just about right?

[00:05:27] BRIAN: Yeah. So, there's a couple of aspects that need to be considered when you're thinking about locking down the data; you want to make sure that that data is protected, has a perimeter that makes it difficult for them to be able to access the system or environment where the data is housed, then thinking also thinking about the solution with what you store and manage your data from. So, if there are characteristics or security controls that minimize the attacker's ability to access the data, change it or delete it, certainly that the data is encrypted, and that encryption is sophisticated enough to make it so that they can't use the data. Those are all things that companies can invest in. When you think about it in the context of a ransomware attack disrupting business services, the other thing to think about is, can you restore your systems from those backups? So, I've been in IT a long time, and historically air gapping was something that we considered in the context of protecting our data. There are those systems that were not accessible through the network. But that doesn't work today when you're thinking about a ransomware attack because you need to be able to recover your systems from that data. And so, with those data protects controls that I just spoke about. If, in addition, you've got the capability to quickly recover from those backups and from a recovery point that's recent, then you're doing two things to protect yourself against these types of things. One is trying to protect access or prevent a breach. And the other is that in the case of a breach, how quickly can you restore services so that you're not put in a position to be a victim of ransomware.

[00:07:02] KRISTINA: One of the biggest challenges that I see these days, especially with digital marketers and their teams, is lack of awareness in the security space. What do you see when you look across the landscape, and how do you advise the CSOs to start to partner or make themselves more relevant to folks that can go out and just procure SAS services and not pay attention to security and sort of flip the coin and hope for the best?

[00:07:24] BRIAN: Yeah. You see a little bit of a change in that trend because of all of the press that these kinds of attacks are getting. So, the conversations that I have now with our executive staff and with our board of directors, Historically, security was seen almost as a tax, a utility that they had to pay for. And in today's environment, you're seeing more and more c-suite executives, board of directors, really driving the conversations around the level of security and investment they need for their business to be viable. That starts to bleed into the conversations where you do have other business units procuring a SAS-based tool. Without the same level of security controls that I would have if my it organization, as a part of the CSO group is, was going to be managing those two modes. So organizations really need to think about that because it's not just the deployment of the controls but the attack surface that we're able to protect. So, in previous companies, and I'm seeing this more and more with my peer group is that the IOT organizations are actually getting involved. And that business units can't just go out and procure SAS-based solutions without CSO organization completing a security assessment. And then also a discussion around how do we maintain the controls associated with those SAS solutions if we're outsourcing it to the vendor. Or the business unit is taking it on. In our case, if a business unit does take it on the CSO organization will assess the security posture of those tools on a quarterly basis to make sure that we're not increasing the exposure of our security.

[00:09:05] KRISTINA: And it's quarterly and up kind of basis enough you think, or do things evolve more rapidly? I know that for some of the organizations I work with, they settle on every 12 months, which seems a little bit too infrequent.

[00:09:17] BRIAN: For sure. It depends on the controls. So, there are certain controls that are tied to, that are looking at how we're protecting ourselves from external attackers, certain controls around the encryption or the protection of the data. We're monitoring the effectiveness of those controls ongoing if there's something that cause them, those are all systemic controls or programmatic controls that we can assess more frequently. Controls like training. Some of the communication controls that we've got in place quarterly is sufficient. And then we've got some governance controls that are more tied to a compliance program that we do annually, but it's really thinking about the type of control that it is that the security that you've deployed, how frequently you need to be monitoring its effectiveness.

[00:10:02] KRISTINA: Brian, you mentioned a bit ago that you surveyed consumers around ransomware and specific kind of gauge their payout sentiment. What did you learn? What have you seen from consumer feedback?

[00:10:12] BRIAN: I wasn't too surprised by the feedback that a majority of the consumers said that they would lose confidence and a business partner that paid the ransom, and which makes sense. And it's their interpretation is that a company putting itself in that position does not have the security hygiene that they would expect from a trusted partner. That's where they damage companies even beyond the cost of paying the ransom is the cost to brand equity, customer loyalty. One of the things that we saw in the survey is that a significant number said that it would negatively impact their decision to continue to do business with them.

[00:10:53] KRISTINA: Does the sentiment change depending on the data type or with whom it's associated? For example, driving down the highway, my car is going through a toll device, and there's data being collected. I don't really care about that, but you talk about maybe my personal medical data or my kid's school data, and all of a sudden, my posture change.

[00:11:11] BRIAN: Yeah, absolutely. It is different based on the type of data that's exposed. And I was surprised that consumers were getting that sophisticated understanding of the distinction between the criticality of the data. Because I think if you would have asked if we would have done the survey maybe even as recent as three or four years ago, they would have seen all of that as a threat. And I think they're getting more sophisticated that especially with the use of social media, everybody's comfort with pulling data from the internet, that there is that data in and of itself, isn't threatening personal data in and of itself. It's specific kinds of data that create. And exposure or risk for the individual. I also think that's because of that, that it is so important to protect consumer data because they do understand what's critical. They do understand, even if they don't know the term, personally identifiable information, health care information, and they understand the impact if that information is share. And that's where those trust issues come with their business partners.

[00:12:09] KRISTINA: You've mentioned the responsibilities or accountabilities for the organization, certainly having a training program for employees, but what really should be the requirements for end-users? I mean, what is the role of a consumer in security in any kind of ransomware threat, or should there be a role or an expectation?

[00:12:28] BRIAN: There is a role as it pertains to it's similar to the phishing attack scenario that I described to internal to the organization. There are the attackers that are looking for that individual information going after it; it's a very similar style fashion with things like phishing attacks, things like bogus websites that capture their credentials, that then allows the attackers to gain access to that individual's information within a specific organization. So there is a responsibility for the consumers to think about how they are exposing they are data and in the ways that they're interacting with technology. It's a shared responsibility.

[00:13:06] KRISTINA: So, how do we net that out? I was thinking specifically about this crazy scenario that happened to us last November, my son who's in high school, very early stages of high school, ended up getting an email sent to him at his school address, which by the way, has it his unique student ID as the email address. And it was a crazy kind of phishing attempt asking about replenishing his school lunch account, which also has the same user ID. And because it was using that student user ID, he felt that it was probably a trustworthy source, but something in the back of his mind still said, hey, let me go check with my mom before I answer. And it was very obviously a phishing attack, but the school never really did anything about it. And here they are using this unique student ID as an email address, which publicly ties a unique individual, a unique way to a lot of data. When we're talking about a business versus an educational institution versus a nonprofit versus a government, are there different levels of responsibilities and accountabilities that you see, or is there sort of a minimum threshold we should be adopting from a consumer posture?

[00:14:08] BRIAN: You would like to think there would be a bit of a threshold that we should be adopting from a consumer posture for sure. The challenge with it is the cost to be able to protect. And so when you see these kinds of attacks, that is a great example with the educational institution. Most government institutions are many, don't have the monies to invest in a training program around fishing is an expensive program for a corporation. And the corporation is weighing that risk against the revenue and the profits. You don't have that scenario with some of these public organizations. I think in those situations, more so than with a corporation, we've got to have good hygiene on the consumer side. Because there's just not going to be the same level of controls and the same level of protection that you would see in an organization like a bank or Amazon or Google, or some of those other organizations that have a professional stake that they're investing in.

[00:15:06] KRISTINA: So that being the case, what are the three things you would say to any consumer out there or any parent who has somebody in a high school, middle school? What are the top three things you would say? And as a consumer, carry those good hygiene practices forward. What are the things we should do this? And as a consumer, you know, carry those good hygiene practices forward. What, what are the things we should focus on?

[00:15:27] BRIAN: The first thing I would do is make sure that we've got strong passwords. And all of them, all the sites that you interact with. So, you're using something like Lastpass solution where there's random a generation of passwords that can be managed through a tool or an application really makes it difficult for there to be some of the hard cracking of, of personal passwords, that's going to go a long way to protect it. The second thing is really just common sense. Think to yourself, why am I being asked to provide this information? And does it make sense in this transaction? That also goes a long way. You put those two things together, and I think you'll see that most consumers, most consumers, or individuals would avoid the situations that we're talking about. The third thing is making sure that the websites that you're interacting with are secure, and you can see; you'll see that in your browser and the upper left-hand corner. They'll tell if you're dealing with a secure. And you'd be surprised at how much, how far those fundamentals would go to protecting an individual. It's really no different than a corporation. We're not doing anything super sophisticated when we're ensuring we have the right level of security posture within the organization. We're making sure our data is encrypted. We're making sure we got a set of firewall protection that we are up to date on addressing vulnerabilities. The foundations, even as attackers become more sophisticated, really go a long way for that kind of protect.

[00:16:51] KRISTINA: That's great. That's wonderful to kind of net it out into. Not just simple actions, but ones that we can take right away to ensure that our practices are getting sounder and helping us across the board. So, one last question here for you, Brian, because I'm very curious, obviously the best practice in the world is to make sure that you don't put yourself in a position where you're going to be held at ransom, but what are some of the mitigations that you would advise an organization? What should they proactively be doing? Should they be doing training around negotiation? Should they be buying insurance? Obviously, you've talked about buttoning up your security practices, but what else should they be thinking about beyond the basics of training and doing good hygiene?

[00:17:32] BRIAN: Yeah, so to say train training's a big one. And it's something that needs to be vigilant. They need to not just have an annual security awareness training program, but they really should have an ongoing program that creates a culture of security within the organization. The other thing that's supercritical that goes beyond, I talked a little bit earlier about minimizing the impact of a ransomware attack by being able to aggressively recover from backups and restore your core processes. It's not enough just to have that capability from a technology perspective; you have to practice it over and over again. It's one thing to have instructions of how you would recover core business processes written down, or even if you go so far as to test the recovery of the technology, it's not enough. You've got to be running scenarios where you've got folks that are involved in the end-to-end process. Walking through what it takes to recover from backup, you should be doing those kinds of tabletops. You don't have to test every business process quarterly, but if you're doing it across a multiple set of processes with similar roles that are engaged in that testing, they'll start to build muscle memory. And won't be exactly like when an attack occurs that you'd be shocked at the difference that those, that kind of rehearsal makes it, it kind of cuts days out of your ability to recover from backup and days that means everything in these scenarios. If you think about a business not being able to execute or recognize revenue for several days, that's interesting.

[00:19:07] KRISTINA: This is a great insight. Brian really appreciates you being with us and sharing all your knowledge. Certainly, learned a lot, and I appreciate you taking the time to share with us the practical tips. Certainly, come back and tell us more as you move along and as things change in the marketplace, but for now, I hope everybody certainly pays attention to the insights that you've found around consumer sentiment and carries that forward. So that we're not on the front page of the Washington Post, New York Times or any other newspaper or news outlet for anything else but good reason.

[00:19:36] BRIAN: Absolutely. Well, thank you so much. I enjoyed the conversation.

[00:19:40] OUTRO: Thank you for joining the Power of Digital Policy; to sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.