Is Cybersecurity a Priority in Your Business?

20 ST. LOUIS BUSINESS JOURNAL

TABLE OF EXPERTS

IS CYBERSECURITY A PRIORITY IN YOUR BUSINESS?

PRESENTED BY

Meet the experts

SEKHAR PRABHAKAR DAVE HARTLEY ROB MCCORMICK THOMAS HAYDE

Sekhar Prabhakar is one of the founders David Hartley is a principal with UHY Rob McCormick founded Avatara in 2005 As a privacy professional at Spencer of C-Edge Software Consultants. Prabhakar LLP in St. Louis delivering “Virtual CIO” with the goal of bringing enterprise level IT Fane, Thomas Hayde aids clients in started his career as a software engineer technology guidance to primarily private solutions to midsized businesses nationwide developing comprehensive strategies to at Arms Inc. working on a subcontract with businesses in the middle market. Hartley through CompleteCloud. CompleteCloud is address information practices and data Booz Allen Hamilton. He was one of the key assists companies with everything from the most secure private cloud environment breach risks, avoid potential claims and members of the supply chain management digital transformation and IT strategy to on the market that leverages virtual desktops liabilities, and ensure compliance with system development team for Continental assessing cyber risks and implementing to help companies centralize data, increase all relevant legal requirements. Hayde Baking Co. (Wonder Bread). Prabhakar then cybersecurity programs. Hartley has performance, and rethink the way they pay also helps clients develop and implement joined Sybase Open Solutions Group and experience in technology, consulting, audit for, access, and support their IT needs. protocols surrounding how to respond supported several Wall Street customers, and C-suite business leadership roles. Prior to forming Avatara, McCormick when a data breach occurs and defends including Merrill Lynch, Goldman Sachs, Prior to joining UHY in 2015, Hartley was chairman and CEO of Savvis clients against potential claims and Shared Medical System and other financial, was vice president and chief information Communications, where he led the company lawsuits regarding data breaches. He has health care and government organizations. officer at Arch Coal Inc., responsible for from its initial IPO (as it evolved from experience defending against and resolving At Sun Microsystems, he was overseeing technology at the company Bridge Information Systems in 2000) to civil claims and enforcement actions under instrumental in maintaining and migrating from 2009 to 2015. He started his career its development and growth as a service specific information privacy laws, such as the Sun Globe System that was used by as a CPA in Big 4 public accounting firms, provider with more than 1 million square FCRA, GLBA, HIPAA and RFPA. senior management to look at sales of the including Ernst & Young, Arthur Andersen feet in data center space, a global network In addition to his privacy and data products across the company. He was also and Protiviti. Hartley’s diverse skillset and and almost $1 billion in annual revenue. security practice, Hayde is a litigator. He part of the quality and financial team, which decades of experience both as a CPA and Additionally, Savvis was honored in 2005 has successfully represented Fortune 50 was responsible for implementing the IRQI a technology executive have made him a with Gartner’s Magic Quadrant Award for and Fortune 250 companies in a wide range (information resources quality index) that sought-after business adviser. Managed Hosting, ahead of companies like of other complex civil litigation matters in was used to govern the Corporate Services IBM and AT&T. state and federal trial and appellate courts. Vision for the entire company. Prior to Savvis, McCormick was COO of Bridge Information Systems. SPONSORED CONTENT 21

Equifax announced a cybersecurity cybersecurity is not just an IT problem; it say is, especially among the smaller somebody else, but it’s not going to breach last month. Last week, is a business imperative. If sensitive data to mid-sized businesses I often am happen to me.” And I think there’s a lot Whole Foods and Sonic announced is not protected, then basically you lose advising that it’s just the culture or the of that thinking still out there. When you cyber breaches. This week, Yahoo your customers’ trust. So, you have to attention isn’t paid as much to this until look at how they got in Yahoo, they did revealed the scope of its breach engage in assessing that risk, and what they suffer a serious or possibly serious a targeted phishing attack on a single was actually 3 billion people, not 1 is the level of security you must attain. incident. Then it hits them that “This is Yahoo employee. The bad guys only billion as previously disclosed. Why By inserting controls, then constantly real” and “It can happen to me, and it have to succeed once where we have to are companies still not addressing monitoring risk, and continuously could potentially disrupt my business to succeed every single time, which is why their cyber risk appropriately? improving upon it, you will minimize a degree of catastrophe.” it’s almost impossible to do. the risk. In the past, companies used to Rob McCormick: The problem you say, “Oh, everything is secure.” So you Dave Hartley: Going back to the original Rob McCormick: People ask, “Why is have in the current age of computing is wouldn’t know unless you’re hacked. question, there’s two things that pop it that all of these hacks are of large people are used to convenient access By following this process, just like how up in my mind. The first thing is, this is companies?” Well, because their to data and oftentimes offline access to you lock your door and check your really difficult work. It’s complex when problem is really hard to solve because data, and there’s a real lack of policies windows, this is basic housekeeping you look at how organizations have they’re distributed enterprises. They preventing them from doing the things that executives have to do, and they grown over decades. They didn’t grow probably acquired the technology over they like to do on the internet. In order should look at it as mostly a business with security in mind. They grew with time, and they can never just start over, to really address these things, you have imperative and not just a technology ease of use, they grew pre-internet, right? If you’re a mid-sized company, to change not just the technology, you problem. and now we’re at a stage where we’re you actually can start over. We tell have to change employee behavior. trying to deal with that. One example people, “The only way to really solve And when those employees are large Thomas Hayde: And in the space of that is Equifax, because if you this problem is start from scratch with performers on the revenue-generation of privacy professionals, there’s this believe the CEO, it was one employee a security-first view of it,” and that’s side, for example, especially in the mid- concept that’s referred to as privacy by who missed one vulnerability, and it technology, employee behavior and business space, employers are really design. And there are some business was combined with the fact that it then the monitoring of that. The larger reluctant to do that. They say, “Well, leaders out there who are trying to was missed by a vulnerability scan. you are, the harder that is to do and its then I have to tell so-and-so to not use incorporate this ideal into their core Look at all the business processes and really expensive. Dropbox,” or I have to say, “You have to mission statement. That you protect technologies Equifax has in place, and it use multifactor authentication to get in,” your consumers’ sensitive information, still happened to them. Same thing with What question should business or “You have to change your password and that the confidentiality, integrity Yahoo. They proclaimed a breach and executives be asking their IT occasionally.” Those are things they and accessibility of that information is said it was a billion accounts affected. leaders? don’t really want to tell their employees protected at the highest possible level. And it was only after Verizon acquired because the employees get aggravated. So every department, every unit, every Yahoo they realized the number was Dave Hartley: Having led a technology We tell people, “You just don’t have a initiative, it starts with what’s called actually 3 billion accounts. Equifax has function at Arch Coal, I would like the choice. You have to deal with it.” The a privacy assessment of how is this hundreds of cybersecurity employees, executives and my clients to ask, “What challenge is cultural not just technical. business initiative going to comply with and it still happened. So, the cyber do you need?” “How can I help?” “What that mission statement? But that’s just response is not necessarily appropriate is it that keeps you awake at night?” I Sekhar Prabhakar: Everything starts not in the cultural zeitgeist of business, or commensurate with the risk right think getting those answers is important with leadership having the buy-in for especially in the U.S.; we do not include now. And cyber risk continues to for you to understand what’s really cyber risks vitally important. Leadership the ideal of privacy by design or security escalate. I think there is a lot of denial has to definitely consider that by design. At a visceral level, all I can in terms of, “It’s going to happen to CONTINUED ON NEXT PAGE R

PUSHING THE OUR CONSULTING can mobilize the right people, skills and technologies to help organizations improve their EDGE OF performance. INNOVATION OUR TECHNOLOGY SERVICES focus on developing robust, secure and stable technology solutions for your IDEAS TO IMPLEMENTATION business.

By incorporating common sense solutions into seemingly daunting deliverables, we can ensure at the start of the project that we will safely deliver the product to completion.

www.cedgecorp.com

CORPORATE OFFICE ILLINOIS OFFICES 655 Craig Rd. 1075 Eastgate Dr. 1821 Walden Office Sq. Suite 220 Suite 4 Suite 400 St. Louis, MO 63141 O’Fallon, IL 62269 Schaumburg, IL 60173 (314) 254-7551 (618) 726-2552 (847) 925-5114 22 TABLE OF EXPERTS

remediation is undertaken after the fact. Security should be an integral part of application development, especially given the rapid changes in technologies that bring a new set of problems of threats. For example, the growing use The risk continues to escalate. of web services that are not secured properly or cloud computing without And I think there is a lot of adequate security controls bring new challenges. “denial in terms of, ‘It’s going to happen to somebody else, but Rob McCormick: It seems to me that the biggest risk going on today for the it’s not going to happen to me.’ executive is that it’s become very easy to turn a well-architected secure system DAVE HARTLEY, into a vulnerable system because data UHY LLP is now easy to store all over the place. AWS makes it really easy. Just get on the web, buy yourself a server with some storage, and put some stuff up there. You used to have to go to the IT guys, and they would have to buy a server, and there was a process and integration, using public Rob McCormick: Have a password and now you can have data repositories cloud services policy. A lot of people” still don’t. So if anywhere you want, easy right? So how because it is you have a problem and a regulator do you, as the business executive, deal R CONTINUED FROM PREVIOUS PAGE easy in the short comes in and says, “You didn’t expire with that? Because to me, the biggest term? I always say, “Let’s not leave the passwords?” They’re going to throw risk is not knowing where your data is. keys in the car.” Look for simple things you out the window really fast. Even In the old mainframe days, you knew happening. But the flip side of that is, to change like password policies or those things aggravate employees that where your data was and had very few it’s not just an IT conversation. You need eliminate the use of external or public aren’t used to it, and it’s not just their ways to get to it. Today we use private cross-functional teams working on it, storage, computers, it’s all their devices. So cloud environments to help people because when you look at the damage again, the business executives need to achieve this piece of mind utilizing the to Equifax or anybody that suffered a Thomas Hayde: As a lawyer, we love understand that they just have to get same old principles: centralization, breach, it’s not just IT that suffered. these written policies and procedures, past that. standardization, and minimize ways You look at all the other things. And and that’s a starting point. What do we in and out of your core systems, or that’s where you need to have people have in terms of written policies and Sekhar Prabhakar: That is a cultural otherwise minimize the surface area of across the entire business looking at procedures? Do they fit what’s actually shift that has to happen. The leadership attack. So if you know where your data this problem comprehensively from going on in the business? If not, what has to really set that policy, and it has is, like the old mainframe I keep going the beginning rather than just being do we need to change or add to in the to be a written policy. Then you need to back to, “All my stuff is centralized. It’s brought in once a cyber breach has policies and procedures? Or what do we ask, “Do we have an insurance policy to in a secure data center. I’ve got firewalls happened. need to change as far as our business cover in case things were to happen?” around it.” Then you have to focus on behavior and our setup? Even industries That kind of mitigation of risks from the keeping people out. The minute that Sekhar Prabhakar: You have to have an that aren’t financial institutions or health business community perspective is very data just starts showing upon laptops overall risk management assessment care-covered entities that are required important. By spending some money, I or in Dropbox you have lost control, for the company. Do we have a risk by law to have written policies and protect a big loss for business. and breaches tend to start happening. management framework? Are you procedures, generally the approach The fact that it’s so easy to put data on putting the right controls in place? So, if of having a written document that What are the top cyber risks that external repositories where you have a threat happens, what is the timeframe sets out privacy and security policies you see companies struggle with? no control whatsoever is a really big that the top executive is going to be gives you somewhere to start with. problem. The multiplication of that informed? How does he need to deal And then on the back end, when an Sekhar Prabhakar: The biggest risk availability has really driven a problem with it? Is there a good communication incident does occur, whether you that I see is that security in most that’s very hard to solve from a business process that is established? Have you have specific regulators in the health companies is an afterthought and not perspective. tried these kinds of cases by simulating care financial spaces, or if it’s just the part of system lifecycle development. similar attacks? Are you storing your possibility of state attorney generals or Code scans are run after the application Dave Hartley: From my perspective, sensitive information in a place that is the Federal Trade Commission, the fact development is complete and both in the public breaches that have isolated from your regular data? You that you’ve, from a compliance and risk should plan a lot of levels of security mitigating standpoint, you’re going to based on your aptitude to deal with look a lot better to have had policies risk. These challenges are not only in and procedures that you adopt that commercial, but in the Department you review, and then importantly, that of Defense too. I attend a lot of you then perform to those policies and conferences, and this is the main thing procedures. they’re talking about that the leadership has to take notice and make sure this entire posture is really there so you can minimize the risk of being hacked.

Rob McCormick: I think it’s important to understand that if you ask the IT guys, a lot of times the answer they’re going to give you is, “It’s a long timeframe, a lot of money, and complicated,” And so You have to have an overall I try not to ask open-ended questions. assessment for the company. To me, the first thing you want to know is, what risky behaviors are going on Do we have a risk management right now with our employees and our “ data that are easily corrected? You may framework? Are you putting the hear, “We’ve got our entire database on laptops that are out wandering around right controls in place? the world.” That should be a red flag. SEKHAR PRABHAKAR, C-Edge Software Consultants Dave Hartley: And those laptops are not encrypted.

Rob McCormick: Right. Or they’re ” SPONSORED CONTENT 23

been publicized in the media along with where you can build fake attacks that need to do about those risks. just some guy decided to attack you. what I see throughout the UHY client really emphasize the learning while Most of this is electronically driven base, is that companies are struggling your employees are facing realistic Sekhar Prabhakar: You have to have the and random. They’re trying to exploit with phishing. And if you’re going to attack scenarios. In a sense, they have process in place. When are you going everything that’s out there. Just being educate your employees and get them gamified security training, it works to inform the concerned authority to in business and existing online, you are to do one thing — if you can get them well as you’re constantly keeping them minimize the risk? You wait for when 1 at risk. Which is why you want to make to understand what phishing is, why it’s aware, because they know you’re testing billion records were stolen, then you yourself look as uninteresting as you can so dangerous, and what they can do them all the time. find out 3 billion were stolen. These electronically. But it’s not just somebody about it — you’ll be substantially down kinds of things have to be addressed had to know your company and go after the path. When you look at the Yahoo Sekhar Prabhakar: Oftentimes, we in a timely fashion to prevent further it, it’s just part of being on the network hack, how did that happen? That breach have this mindset that an attacker is damage. And that is something you in the first place. It’s really horrifying if came through a single phishing attempt always from the outside. However, the have to incorporate into the process you see those kinds of events. targeted at a specific employee. And threat could originate from the inside. depending on the level of risk that you you see that play out a lot. Why phishing So employee training and awareness can handle. Sekhar Prabhakar: Law enforcement has become so difficult is because it become very important. While most is taking cyber crime more seriously. used to be there were very obvious companies have mandatory security Dave Hartley: A small investment Cybersecurity breaches can wreck many things, that when you got a phishing training that employees need to take, up front in cyber preparedness and individuals and families. The United email, that they misspelled words or it would be good to make them more incident response can save substantial States is doing good things, but this is phrases that didn’t make sense. Those engaging and also offer incentives to costs on the back end when something not so in all other countries. days are gone. Now phishing emails are complete the training. does happen. getting really, really good, and it is very What should companies and difficult to tell. That’s why this culture of Dave Hartley: And many nontechnical Rob McCormick: When you talk to the individuals do to mitigate risk and cybersecurity needs to happen, creating business executives unfortunately aren’t business guys, they don’t really have a protect themselves? awareness so that your employees comfortable having this conversation. picture in their head like we do about are an asset and not a liability, and What we have to do is to help them get how risky it is. We hear “Well, I just Dave Hartley: One of the services we that they’re part of the solution, not to the point where they are comfortable had that server up for five minutes.” deliver for our clients is cybersecurity the problem. That sense of cyber having cyber conversations. And it It doesn’t take 30 seconds until employee awareness training. One awareness, the educated employee, flows both ways. They have to express something’s compromised because it’s of our lessons learned over the last which we’ll talk more about later, is an interest and try and make an effort electronic attacks, not people attacks. couple of years is that if you have a paramount in my mind. to understand, but we, as technology, They will find an open door immediately. training where you bang them over legal and other professionals, need So I try to draw this picture. I say, “You the head, “No, no, no. Don’t do this, Rob McCormick: We’ve had a couple to make sure that we eliminate the got this castle with your wall around don’t do this,” they tune out. They customers where there is an email tech lingo and instead describe cyber it. And picture the scene from ‘Lord of don’t listen. They don’t care. We have that looks like it’s from the executive risks in straight-forward terms. These the Rings’ with the castle being sieged an interesting opportunity right now to the CFO pursuing the movement conversations should be grounded in by a million orcs and you kill 10 and that the Equifax breach has gotten to of funds to a false account. It’s really, business risk management — not bits here come more, that’s really what it’s the point where the average employee really hard, even if you’re educated to and bytes, not acronyms, not hardware. like.” That many people and bots are is now concerned. One of the training identify that the message was fake. It’s not any of those things. It’s making trying to compromise your systems and sessions we do now is specifically There are really nice training programs sure that the person understands the your employees all the time. If you’re now that automate phishing training business risk and recognizes what they not paying attention, they will. It’s not CONTINUED ON NEXT PAGE R

CYBERSECURITY MANAGE YOUR RISK

DAVE HARTLEY Technology Advisory & Risk Services [email protected] | 314.615.1244 24 TABLE OF EXPERTS

R CONTINUED FROM PREVIOUS PAGE strategies we use is to try to make haven’t necessarily done what they need needs to be investigated, potentially our training sessions personal so that to do, whether that’s from not having contained, remediated, they have a targeted around the Equifax breach. people actually care and they feel enough time or not making it a priority. head start there, and you have a Rolodex We start the training with some invested in what they’re learning. We need to help people understand of potential vendors that can help you education about the top cyber risks why beefing up their cyber protections out when you need it. Because what — phishing, spyware, keyloggers and Sekhar Prabhakar: I always have needs to be a priority. we see are a lot of our clients, again, ransomware. Then we go into a seven- subscribed to some of those LifeLock waiting. Something happens and then step action plan that people should services, which are good at monitoring Thomas Hayde: From the macabre that’s the first time that they really want follow specifically in response to the things. During the OPM hack, the legal perspective, these incidents are to have a conversation with me. They Equifax breach. We teach them during government provided a free credit going to be inevitable. There’s no such hadn’t thought about this issue in a the class about the steps they should monitoring service to defense thing as perfect security. So with that way where they’re prepared to act as take to protect themselves. And I’ve contractors and employees. This in mind, looking at our small to mid- quickly as they could because some of never seen a group of cybersecurity information was sent in letters and sized client base, we are talking about these incidents, you’re talking minutes training employees that have been more e-mails. However, not many people cybersecurity insurance, and it’s less are important. Hours are critical. Days engaged. The participants are taking took the initiative to register for these common the smaller your company can mean the difference between your notes and come up to me afterwards services unless something happened to gets. But companies really need to business making it through the incident and ask, “Can I share this training with them. It is important that we are more be considering what the potential or not. my kids? My family? Will this session be proactive and protect ourselves by exposures are when an incident is going recorded where I can have them watch utilizing these types of services and not to occur. Cybersecurity insurance is still Rob McCormick: A speedy response is it?” Because it is things that we should wait until something happens. a product in its infancy, but it’s certainly really, really important in almost every be doing, but a lot of us aren’t. I did a grown leaps and bounds. And I think the instance. And if you’re prepared, you presentation yesterday and asked the Rob McCormick: It really is a life skill insurance industry is really figuring out can move quickly. group, “How many of you are aware now. From the time you’re born to the how to price and service that sector. So of and concerned about the Equifax time you die, you better understand, it’s going to become more accessible. Sekhar Prabhakar: I would like to breach?” Every hand in the room went whether it be at work or at home, people It’s going to become something like have an attorney as a part of my up. My next question was, “How many are out looking to get at you in an your general liability, your workers’ cybersecurity defense, because I want of you have done something about electronic fashion. comp something that needs to be a to know exactly what I’m supposed the Equifax breach or have a plan for part of your portfolio. Other than that, to speak about and not supposed to what you’re going to do about it?” Two Dave Hartley: I had the unfortunate I also recommend companies bring in speak about. What information should hands out of over 100 people. And pleasure of somebody filing my taxes experts, whether it’s an outside counsel I be sharing at that moment and that’s where we have an opportunity to for me three years ago. So I have been or forensic experts. With those type with which sources, and how should really connect with people on a level to the IRS office in Chesterfield more of vendors and consultants, you need I communicate? It is very similar to that they care about because now than I have ever wanted to. And then to have an ongoing relationship with registering a complaint with the police they’re concerned and want the help. somebody hijacked my personal email them and not wait until you have a and hiring an attorney for what you If we can teach people why phishing account. Those two things, without problem. That way, someone doesn’t experience in other situations, such is so dangerous on a personal level, causing a lot of damage, made me have to first learn everything about as property damage or when you are that benefits the employer too, and hypersensitive and hyper aware of your systems, everything about your injured. This approach will help deal you now have a more educated and personal cyber protection. A lot of business after something happens. with cyber crimes in a better way. secure workforce, but it’s also benefited people are living sort of in this fog and They have a baseline understanding, so them personally. So that’s one of the they don’t clearly see the issue, and they that when something does occur that Dave Hartley: We co-hosted an event

Spencer Fane LLP 1 North Brentwood Blvd., Suite 1000 | St. Louis, MO 63105 319 North Fourth St., Suite 300 | St. Louis, MO 63102 Phone: 314.863.7733 | spencerfane.com

The Law Firm Where Your Business Leaders Work With Our Business Leaders

As a client, you can be certain that your interests are our priority, because we work decisively, execute with purpose and understand the importance of flawless timing.

Spencer Fane St. Louis Attorneys: Eric Block Carl Desenberg Ryan Hardy Megan Meadows Eric Peterson Ravi Sundara Mark Boatman Scott Dickenson Thomas Hayde Dick Mersman Len Pranschke Frank Susman Soo Hyun Cho Sherry Dreisewerd Ed Holderle Amy Mistler Robert Preston Pat Whalen Jack Coatar Jane Dueker Tom Jerry Mike Murphy Glenn Robbins Jalaine Wheeler Brad Cytron Robert Epstein Richard Lageson Frank Neuner Baerbel Schiller Kate Whitby Leslie DeGonia Jeff Figge Bob Lattinville Ken Newman Scot Seabaugh Jim Dankenbring Arthur Gregg Jim Loranger Tom Osterholt Francis Slay Roger Denny Gerry Greiman Pat McLaughlin Aaron Pawlitz Erik Solverud

© 2017 Spencer Fane LLP | The choice of a lawyer is an important decision and should not be based solely on advertisements. SPONSORED CONTENT 25 a couple weeks back where the group was challenged to respond to cyber response scenarios. We said, “Here’s the breach scenario. You all have to respond to this case study.” So the discussion started with basic questions like, who It’s been a very common thing is authorized to talk about the breach?” Trust me — when the house is on fire where there have been is not the time you want to be making vulnerabilities exploited across these basic, critical decisions. Anything “ you can do to prepare in advance of platforms that a lot of different a breach, like developing a written incident response plan, will prove merchants were using, and credit extremely beneficial. During each of the scenarios we asked four or five fairly card information is getting stolen significant questions about decisions from that platform, from that little that have to be made quickly. I think there was a real a-ha moment for the point in time from where they’re business executives thinking, “Wow. I never really thought about that before. putting it in on your web site to If that were to happen to my business, it would be incredibly damaging.” So where it gets encrypted and sent to getting people to engage and really the processor. think through some of these decisions in advance of a breach is critically THOMAS HAYDE, important. On a totally separate point, Spencer Fane I was talking to an insurance sales representative for one of the major insurers last night. And he said, “We feel we’ve pretty well penetrated the public company world,” but what they view as the next big market for cyber insurance firewall traditionally was; outside-in” could have caused problems. credit card payment information. And is the middle market. I think the need is not the only problem anymore. It is a lot of them have been vulnerabilities for cyber insurance is, unfortunately, often an employee that got phished Rob McCormick: That’s a good point. from e-commerce platforms. And it becoming more significant every day. So or somehow compromised, and now Quarterly scans or just making sure your gets down to the assumption of the I think that in the next five years, you’ll they’re in. By the way, no light goes off PCs are all patched is just not enough businessperson that that vendor was see a significant push from the insurers saying “Somebody broke into one of anymore. Things change so dynamically, going to be responsible for making into the middle market. your 400 desktops.” They’re going to intra-day, intra-hour, intra-minute. sure everything was patched, and that hang out there for a long time quietly Unless you’re using third parties that are wasn’t addressed. So business people Sekhar Prabhakar: You also want doing their thing, because they don’t actively in the current threat space that need to be aware of that, and bring in to make sure that the businesses want you to catch them. The longer know, “Today, something just came out consultants, counsel, whoever it is, to that you’re engaging with have a they go without getting detected, the five minutes ago,” your going to be too help them review their contracts with good cybersecurity policy. Are they more damage they can cause. If you’re late. Take the WannaCry ransomware those key service providers to know, going through the training? There is just watching your outside firewall and that caused so much trouble. The “Who’s responsible for making sure a possibility their systems could be happily doing your business, you’re people that were using services that this aspect of security is going to be compromised which can hurt your going to get nailed eventually. The understood how to quickly close down covered?” Because these patches are operations or services. These kind technologies that actively watch what’s the vulnerability had no issues. Other put out, and then it goes months for of checks have to be done. And one going on internally and prevent those people paid a huge price; you really some of these companies that they other thing I liked what you said about kinds of behaviors inside the firewall are need to leverage security experts. Your didn’t have their e-commerce platform getting experts to come in and talk with really important. traditional IT support is not in the fight patched. And it’s an easy vulnerability your employees can help increase this enough to know how to handle all the for the hacker to exploit. And then for awareness across businesses. So that Sekhar Prabhakar: Mobile phones various attacks. We consider ourselves some companies, that ends up being you have neighborhood watch. There have become one of the key things pretty good at what we do, and we still all your customers in a six-month is a benefit to everyone being involved where people use it for everything. leverage industry leaders when it comes period now are going to be notified, as this benefits the entire business So, when one of the firms asked us to to security. and they’re going to realize that their community. build a mobile application, we send credit card information was exposed a list of questions. That includes “Do Thomas Hayde: Reviewing contracts because of your company’s failure to What kinds of tools and services you give your mobile phone to your with your vendors as well. They may protect their credit card information do you recommend to ensure kids?” “Do you let them install any sign up for e-commerce platform and that they thought was secure when companies are prepared to apps on them?” These are some of the web development contract with they entered it on your web site to minimize breaches? key things we want to know, because a provider, and then they assume buy $100 of whatever widget you’re a lot of free apps collect information. that that vendor’s responsible for selling. And so, are they going to come Rob McCormick: I think it’s really On my phone, I don’t download any patches, when that’s not set forth back and engage in e-commerce important for companies to understand apps, no free things. These are some anywhere in the contract, that wasn’t with your company again? It’s a huge that the days of passive security precautions I take personally. Also, you addressed, that’s just an assumption. potential intangible cost to your measures are long gone. It used to be, may have the best tools and you may We’ve seen that happen a lot. And business goodwill, and I think it goes “Yeah, I bought a firewall. I put it on the have the best people, but not having then a patch gets missed. And on back to the culture issue, again, that Internet. We’re good, right? And every the whole risk assessment and the the e-commerce platforms, it’s been businessperson not realizing that was once in a while, we’ll check and see if security framework that fits your needs a very common thing where there a point that needed to be addressed anybody’s trying to get in.” But as we for your industry and your customers is have been vulnerabilities exploited and just assuming, “Well, I’ve got these talked about before, it’s significantly very important. CEdge has developed across platforms that a lot of different web site developers that are bringing more likely that the attacks are going our own tools such as cyber edge and merchants were using, and credit card in an e-commerce platform. They must to come from the inside. It oftentimes forensics edge. We start from assessing information is getting stolen from be responsible for it, right?” And they’re is an employee that doesn’t know risk, analysis and penetration testing that platform, from that little point not. they’ve been compromised. If you’re to help design a cyber posture. We in time from where they’re putting it not actively inside the wall looking for are working on predictive analytic in on your web site to where it gets Rob McCormick: We are the virtual CIO issues or threats, you’re most likely capabilities as well as post analysis encrypted and sent to the processor. for most of our customers. We have had going to miss it. Tools exist today that in case a customer is hacked. This And if you go look, various states cases where the marketing person or dynamically respond to the changing includes forensic evidence from logs. will keep a database available where the sales person wants to build a site threat factors, whether it be the web- Sometimes people say, “Oh, we are you can look at all the data breach for their customers, and they hired a locking technology that do not allow using ArcSight or Solarwinds to protect notifications that companies have had web development company. These guys your employees to go to sites with our site.” And these tools certainly do to give. California has one that may be are usually artists that know how to ransomware, or active internal intrusion that. But if people are not alerted in a the most comprehensive. You can go make a site look pretty, but they don’t detection looking for somebody’s timely fashion and things are not taken look through there if you’re interested understand the technology. And then they hire someone else to do the back internal PC trying to break into the care of, you may have the best tools but and see that a lot of the breaches over server. This is all inside where the still you may have let go something that the last couple of years have involved CONTINUED ON NEXT PAGE R 26 TABLE OF EXPERTS

chain is really growing. It’s critically important, for the reasons that you guys have outlined, that you need to know what your partners are doing — or not doing. You can mitigate some of the risk from a legal perspective by If it is more than just a brochure including protective wording in your contracts and transfer some of the risk for your company, if it actually through cyber insurance. But managing captures data or credit cards or third-party risk needs to be an active “ and intentional task you perform, not anything like that, you need to something that you get to only after something bad has happened. really think that stuff through. Rob McCormick: That’s 100 Because most of those companies percent right. Our customers, are not all that sophisticated Boeing subcontractors, Lockheed subcontractors, medical malpractice about it. law firms that deal with Cigna, we have clinics and hospitals, and they’re all ROB MCCORMICK, getting pushed down security standards Avatara from larger customers or industry regulators, and you can’t answer the questions that Boeing or Cigna asked you accurately if you can’t actually inspect what’s going on. So the concept of, “Well, I’m hosting my stuff with the R CONTINUED FROM PREVIOUS PAGE big guy so it must be OK, does not ” work,” bigger is not better anymore. As end stuff. All done with little to no long- the world, there could be issues. I heard Microsoft or AWS, do you really know a matter of fact, bigger may be much term accountability or concern around from one of the executives who went where your data is? Or if you use Google worse, because you have no control security. It’s one thing, if it is a pretty to another country to their office there, or Dropbox, do you know what they’re over what they’re actually doing. And brochure that sits off the network, but and he was under the impression that doing? What happens when something they may say, “Well, you have to patch what if it is capturing credit cards or it would be well protected, and he was goes wrong, can you call them up for your own systems,” but Amazon has other consumer data. You really need to surprised that it was a very small room, help? Do you just trust that because systems underneath that are running all think this stuff through. and there were a bunch of people they’re big, they’re smart and have your this stuff. How do you know what they’re doing the entire IT operations from businesses best interest in mind? We doing with those? Sekhar Prabhakar: Oftentimes, we also that room and not much security. So build a private dedicated environment forget about the physical security. A what is the level of physical security per customer. We use a subscription Dave Hartley: I take a little bit different lot of people in offices, they take it for you have in those places? Have you model, so it’s got the economic benefit view regarding the size issue. For granted. They’re not in their seat and done any assessment? Because our of cloud, which is you didn’t have to buy example, Amazon Web Services (AWS) they don’t even have a screen saver government says we are to protect our all the hardware, but it’s yours,it’s built publishes an AWS risk and compliance turned on in a few minutes if they’re borders it does not mean protecting from scratch, and you know where it is. whitepaper that outlines its approach not really working at the desk. At Sun just physical boarders. You’re having to We give midsized businesses the ability to cloud security and how AWS Microsystem, that was taken seriously protect virtual border, which means IT to move to a new environment that integrates into all of the major control and our CEO Scott McNealy often talked assets and data in other counties too. Is was built with a security first mindset. frameworks (NIST, FedRAMP, HIPAA, about this. You’ve got to have all those the government going to really ensure Again, think mainframe, all your data ISO, etc.) It begins with about 20 pages controls, including physical security. that people are taken to task if data or in one place and very secure, meshed of its approach to complying with all And also the point you bring up is a IT assets are lost? Do you want to put with the access and mobility of today’s of those control frameworks, including good thing with e-commerce. We have the data that you cannot even get by environment. Done right, you can have links to its SOC 1, SOC 2, SOC 3 reports been doing e-commerce work for the requesting a subpoena or whatever? the best of both worlds. audited by an independent CPA firm. It last several years and have helped our All those things come into play, so it’s basically says, “Here’s our approach to clients achieve PCI compliance. While always good to have companies rely Dave Hartley: So my firm sees mitigating cyber risk and we have audits to prove this is what we do.” They also the statement of work may outline on local companies to do business outsourcing from a slightly different include their responses to the Cloud the scope related to the compliance, especially when it comes to sensitive perspective. My firm provides traditional Security Alliance’s questionnaire in the it gets tricky when it comes to whose data as risk could be better contained. audit and tax servicess, in addition next 50 pages. So there’s a fair amount responsibility it is to deal with certain to other outsourcing and consulting of information that the major cloud things. For example, patch management Rob McCormick: We’ve seen this swing services. We also perform SOC audits players are putting forward and they are at the operating system level is very from when I was really on mainframes, for companies, such as SOC 1, SOC 2, having audits performed to prove those important. When a security loophole is which are very secure — you knew SOC for cybersecurity. We’re seeing a controls are in place. I agree with your found, you have to put the patch in. In they were in a room with locks and real explosion in demand caused by statement though that the problem is large enterprises it is hard to get those really hard to get into — to this now the concerns about outsourcing that that you have to read the information patch updates in place unless there is highly disaggregated environment with you guys have just raised. Companies provided by the cloud provider and a clearly defined plan that considers data everywhere and public cloud are now saying, “I have to get a handle understand those controls, including all aspects of risks. A well-defined and really easy to get access. Now I on my third-party cyber risks. I need figuring out where your infrastructure operational framework helps protect the think businesses are starting to get to know what my partners are doing and applications end and where theirs company. This has to be monitored and suspicious of that. Because I go back to protect me.” We’re seeing middle begins. That overlap and interplay continuously improved. it is very much to, what should I know as the business market companies bombarded with between the different environments is necessary that the senior management owner? I should know where my data questionnaires from large public critically important, especially as you allocates the necessary resources and is and how can people get at it? And companies trying to get a handle use more and more external partners make it a part of the mission. the only way to really know that is to on their third and fourth party cyber and cloud providers. You have to really make it a much smaller problem. We talk risks. Rob, you’ve probably filled out pay attention to this convergence of Talk about the pros and cons of heavily about, you got to think about, dozens or thousands of those types cyber worlds to make sure you don’t get outsourcing. how do I centralize everything? With of questionnaires for your business. burned. our product, even your desktops are What the AICPA and others are driving Sekhar Prabhakar: Global companies in the data center. What you see is like towards is more clarity in the market Rob McCormick: I’d make a relatively keep outsourcing the work in different a movie of what is happening on your regarding cyber risks. In addition to the technical argument that the more places, and then there’s mergers, computer in the data center, kind of usual SOC 1 and SOC 2 reports, we’re generic the infrastructure, the less acquisitions, and then you go ahead like the terminal to the old mainframe. seeing other forms of third-party cyber secure it is. Amazon does have all that and deal with those things as they come And the only thing in and out of the risk management evolve, such as shared documentation however, they’re trying up. These companies look at any data data center is that picture, and even assessments and the Cloud Security to provide a very flexible, very dynamic residing in the U.S. and know that it’s that’s a highly authenticated and secure Alliance (CSA). We’re starting to see this infrastructure that anybody can just protected by the policies established by channel. There’s no holes open into the need for independent assurance really go use. We think security by design the government. The information has to data center because they don’t have grow. The trend towards understanding, is what’s important. You need to think be made available when our government to be, and you know exactly where measuring, and managing the third- from the bottom up. “What does my demands. When you have offices around all your data resides. If you host with party risk in your technology supply business do?” “What do my systems SPONSORED CONTENT 27

need?” And, “How do I, from the bottom just the response costs, not third-party Sekhar Prabhakar: So whenever we get have all of the nice SOAs and everything up, make sure that it’s secure for what liability, but just your first-party costs a contract, especially with the DOD, we else, but uncapital liability if something I need to do?” The generic system can are going to exceed six figures easily. make sure what our liability limits are ever goes wrong, I always say, “Do you be as secure as they can make it, but So, again, having counsel that can to ensure we are covered. I don’t want have that today from your one outside it’s still a generic system. In which case, review those contracts for you and to sign up for something where I have IT guy in the closet?” Whatever it is, they’ve got to have some openings in determine your level of risk, and then a provider, and he goes like, “OK. We’ll even if it’s a really nice system and you there that you wouldn’t necessarily want help you go to your broker and figure pay you $20,000 for an incident,” and got 10 IT guys. Are those guys liable to have. They have to have user-friendly out what you need in your insurance our client is looking for a much higher if they mess up? Do you get to go and portals that let you go turn things on portfolio, because these are costs that coverage. So those kinds of things extract your $10 million from your five and off, and create openings. We think, could cripple a lot of these closely- have to be assessed on a regular basis IT guys? And the answer is no, right? if you’re really building an infrastructure held businesses. So that’s another for every contract. And going back to So outsourcing shouldn’t mean always for your company alone, there are ways important thing I think for them to be your point about the insurance and moving the liability if something bad to do that without buying into the big cognizant of. As great of a security that covering those things, everything will goes on. You should recognize as disaggregated companies. you feel that you’re getting through be looked at. So if we take the scenario partners that if something happens, some of these products and doing it you suggested, that there are going to then there has to be insurance or a plan Thomas Hayde: I’d say for a lot of the right way, incidents are going to be increased costs when the breach to cover. the small, closely-held businesses be inevitable. Human error is a factor. happens, let’s reverse it. Let’s engage we deal with, cloud solutions are I think depending on what survey you an attorney before. Let’s engage an Sekhar Prabhakar: With large cloud pretty appealing. It makes it easier look at, in two-thirds of incidents the assessment firm. So that companies providers taking over everything, for someone to get that consistent primary factor is human error. So that’s are at least aware of the costs and what there’s so much data, and you are at security control across the whole always going to be out there. And so you can go ahead and take care of in a lot more risk. It may be better to go system down to the network. But then you’re going to have to deal with the a structured way to minimize those with other providers and spread out the from the legal perspective, I’m sure contingency of, it’s inevitable that you’ll problems and say that if things were risk. Certain things I may put on cloud your master services agreement has a have to deal with some sort of data to happen, you can at least use that provider like Amazon, but certain other limitation of liability. They all do. And breach. assessment as a baseline to, “For 20 things I may put on a local company like it’s usually defined as a limit on how hours, I’m being charged this much.” Avatara. This can minimize your risk. So much you paid us for these services for Rob McCormick: The insurance point So you have to do the same from a in that way, I am going to a provider, I the past quarter or six months. I think is a really good one because you’re business risk assessment perspective. can hold them responsible for a certain the longest I’ve seen is two years. And correct in that service providers are not SLA and cost associated with certain that can sound like a pretty big amount. going to take on unlimited liabilities Rob McCormick: I like this topic, applications. Risk assessment posture But people don’t realize the potential or the price for their service would be because I hear it all the time, “Well, can help with analyzing current and costs of responding when an incident something no one could afford. Our you should just take on the liability.” future needs to better plan the security occurs, and the potential liability to typical customer will move their data So you went from this really insecure posture and have proper insurance and third parties. So you’re talking about from servers in a nice IT closet in an thing, right, with huge risk, and I don’t process to protect yourself. big first-party costs of bringing in office building that may or may not have have a liability on that. You’re going to forensics, folks to assess and contain, a janitor with a key to their server closet. pay me to improve your risk situation Rob McCormick: We often times move bringing in the legal services, bringing We move them into a centralized exponentially. And then on top of customers off of big shared email in notification services that can get audited secure physical facility with that, you also want me to move all of providers when we onboard them. We pretty expensive. What I’ve seen is a lot of really good tools in place to your potential liability to me, right? like the idea of keeping your server data, you get anywhere from five to 10,000 protect their data. They are definitely So it’s not a rational thing to ask your including mail inside the castle, where records in a population of consumers decreasing their risk, but that does not service provider for. And people should we can protect it and care for it. Our that are affected by a breach, and relieve themof all potential liability. Its understand that. That’s kind of the way customers like calling people they know you’re starting to get pretty sure that still a real good idea to get insurance. that works. Now your contract should and trust if/when this ever occurs.