In this day and age, everyone is at risk of cyber threats. Small businesses are just as vulnerable to cyber attacks as much as the Fortune 500 companies. The question is, what measures should be implemented to prevent such threats? In an interesting discussion, Doug DePeppe, Hilary Wells, Ed Barkel and Bill Nelson explore why small businesses must start paying attention to cybersecurity as well as the importance of protecting their customers, their employees, and their data from cyber breach. They talk about the unseen risks brought about by cyber threats to both start-ups and major corporations and share tips on what organizations can do to enforce reasonable security measures and have a proper “cyber hygiene.”
—
We have a unique podcast. We would call this a panel. There is Doug DePeppe. We have Hilary Wells, Ed Barkel and Bill Nelson. Doug is with EOS Edge. Hilary, Ed and Bill are with Lewis Roca Rothgerber Christie. What we’re going to talk about is cybersecurity. Tell us about your business and who you serve.
We’re a full-service firm. We will talk a little bit later about how we’ve formed a strategic alliance with EOS Edge. We represent companies everywhere from banking to insurance companies to investment advisors, healthcare schools and manufacturing, everything in between. What we found is that all of our clients have access to data. That data needs to be secured. We’ve developed this group to work with our clients and help them, especially the small to medium size clients, develop systems, processes and methodology so that they can help keep their company data safe. Maybe even more importantly, their clients’ data safe.
You have been thinking about as a small business owner. Ten, fifteen years ago, I didn’t even need to think about this. I talked to a couple of groups here and their age was similar to mine. Most of them don’t use LinkedIn. Most of them don’t look at their email. What I would think is the awareness of the smaller business owner is not that high. Why did you form what you formed? What was the motivating factor?
What we did is we followed our clients and their path through data protection and cyber issues. Data protection, as far as a large industry that first encountered it, was the healthcare industry with the passage of HIPAA. As Ed said, we represent a lot of insurance companies. We represent hospitals systems. We saw that group be the first to try to tackle what information they were collecting, what they were doing to store it, then their obligations to protect it. The financial services industry was next. We had Gramm-Leach-Bliley and other regulations from FINRA come out. Our regulators are now requiring us to have these plans, these systems and these policies. How do we do this and how do we stay compliant? In the past five years, what we’ve seen is we’ve gone from regulated entities who are doing what they had to do because they were told to do so to an interesting standard that’s developed for all industries across the spectrum regardless of whether or not a regulator is directing what you do and how you do it.
It’s finding the customers or making buying decisions in part based on how are you doing in this field? If I’m going to trust you with my information, how do I know that you’re doing what you can to protect it? That’s not a Facebook problem. It’s not a Twitter problem. Businesses of all sizes have employee information. They have customer information. They have information to be protected. What we’ve done is we’ve transitioned from advising on what the law is, which can be daunting to bringing to the table for our small and mid-sized clients an opportunity for them to assess what their particular risk is and how they can try to mitigate those risks.
For the small business owner, did they walk into this or where they drag into this?
I would say both.
Good 'cyber hygiene' is essential for every data security.
We think about the hacks that happened in some of the retailers or at a hotel chain or some of the others. It’s not typically what I would think of as a small business owner. I was there buying a pair of socks. All of a sudden, my data’s out in the breeze. For you guys, are you predominantly front range? What’s the extent of your coverage with your firm?
We have a Southwestern footprint. We have offices in Colorado. Our home office is in Arizona. We office in Nevada and California as well. California has jumped feet first into the data protection and privacy issues with enacted law. We see lots of development as far as standards. Again, what do you have to do? At the same time we see clients trying to do the right thing and to understand what their risks are. You mentioned something interesting how does this come up in these large breaches where I purchase some socks. Doug can speak to the type of encounters that small businesses have with Ransomware and other forms of mischief that create real problems if you’re trying to get access not only to your customer information but to your AR system so you can get your bills out and get paid.
Thanks, Hilary. There’s a notion out there that I’m not being targeted, it’s someone else’s problem or my business is not likely to be attacked. What we’re seeing on the dark web or the darknet is that there’s a hacking for sale as a service. There’s a whole black market where hackers are selling their services to others. Some of these organizations have the massive capability to break into search engines, for example and to attack whole countries based upon IP ranges. It’s dragnet. It’s not about, “They’re not going to look at me.” It’s not remaining under the radar. You could be swept into a dragnet attack because you have a vulnerability that someone is looking for.
I am thinking back to the small business owner. I’m the business owner and I go, “I change my password regularly. I’ve got a Comcast or another provider for my internet security. I have a router and stuff. I try to back up my data periodically to one of the backup services. Am I still exposed?” What would you say to that business owner that says, “I got this covered”?
Being secure on the internet is frankly not possible. It keeps changing. You can be up with compliance and what the current best practices are. There’s something called a zero-day exploit. A zero-day exploit means that someone’s figured out that there’s an exploitation of a vulnerability that no one knows about yet. They developed a hacking methodology to exploit that. That’s called an exploit. It’s not possible to be secure, which is not saying, “It’s a losing battle.” The name of the game now is being resilient, being able to withstand attacks, detect incidents and anomalies and being able to recover quickly.
In the military, we used to call it the tallest men in the foxhole. If you have zero protection and zero things done, I would think that you would be an easier target than somebody that’s done something.
It’s trying to be as the joke goes “Faster than the next guy when the bear is out there.” You don’t want to be the low hanging fruit. We’re going to talk more about cyber hygiene. If you have a baseline level of security and you’re resilient, then you’re going to run a little faster than the next guy.
Cybersecurity: It’s not a hard attack that gets a good company, but the mistakes by those who let the hacker in.
We did mention it that Doug is with EOS Edge. We’ve been talking about the law. Everybody here is an attorney except me. I can’t even talk that much. In thinking about that, you just don’t do the law though. You also do practical help and remedies for the business owner and suggestions to help them understand what they can do and what their risk might be.
One of the value adds that we’re trying to bring is not only tell the client what the new law in Colorado is, what the new law in California is but to take themselves from being low hanging fruit and move forward. Some of that’s education as to what the potential risks are, what steps they can take to protect their data and what they can do with their employees to help their employees help them build that firewall against an outside attack. Frequently, it’s not a hard attack that gets a good company, it’s mistaken by the employees who let the hacker in.
This education and value-add was part of our goal. We’ll also talk about cyber insurance, what steps you need to take to put that policy in place, have it stay in place and have coverage. We’ll talk about what those costs are. It’s to help the client, the small business owner, understand that they do have assets to protect. They do have a reputation to protect. As Hilary said earlier, there’s buying decisions happening now that are based upon a safe company versus an unsafe company. We want our clients to be able to be a safe company so that they protected their data, they have good cyber hygiene and we’ve given them that value-add.
In the transition world for businesses, there’s also that discussion about intellectual property and how to protect it. We talk about outside actors. There’s also the inside actor that can take and go in. When you guys are looking at companies that you touched on some that are coming to the marketplace and looking at policies, procedures and intellectual property protection, what are you seeing from the buyer’s standpoint? Are they starting to focus more and more on that?
They are. We’re seeing that as part of due diligence in mergers and acquisitions, financial audits have always been the standard for what we need to have in place, get through, have the professional’s opinion on before we close the deal. What we’re finding now is there’s also a need for a cyber audit because as you take on somebody else’s infrastructure, their employees and their systems, you very well may as large hotel chain did buy into somebody else’s cyber problem, not realizing that you’ve done so. There is a lot of places that this piece of work becomes important. From a business perspective, it’s not a matter of, “Am I going to get sued? Is there something bad that’s going to happen?” It’s “What do I do to protect and add value to my business and make sure that I’m appropriately valuing what I’m considering either acquiring or selling,” as you’ve said.
It’s just good business.
Having come out of some of the M & A work in my early days, one of the things we always looked at was, “I can do an asset purchase or I can do a stock purchase. If I do a stock purchase, I buy all the problems.” Now in the cyber world, buying the assets doesn’t necessarily insulate you. In fact, you may be buying into that hotel chain problem. Having that search done, having the review done, looking at the policies and procedures that the company had and going through an EOS Edge review to see why their CyberGaps is important. We think that going forward, even the smaller businesses, whether it’s Baby Boomers looking to transition out of their business, need to have done the housekeeping to set things up so that they can sell the business for the greatest value.
There are problems you can't solve but can mitigate.
Hilary, what pushed you to go through this data protection and cybersecurity side?
It did develop from representing groups in highly regulated industries that were coming to grips with our legal requirements. As we saw the requirements in the new Colorado law that applies to all businesses concerning the need to protect client information to make sure that it’s disposed of appropriately when it’s no longer needed, we had an opportunity to stand back and say, “If I were the business owner, has Lewis Roca Rothgerber Christie answered my problem?” What we found is we were able to and did very well give the legal advice around what you need to do in order to be in compliance. The business owner is looking at it and saying, “What’s my problem? You’ve told me that this is a problem, but how is it in my business a problem and what can I do to improve it?”
It’s the reason we’ve reached out to Doug DePeppe and his group who’ve got the real technical expertise, background and consultants who can evaluate what is your risk given the business you’re in? If you’re a tow truck company, you’ve still got risk. It may not be the same as the risk of a bank that’s got an intellectual property that it’s protecting for itself or others. With his ability to assess what the risk is and what can be done to improve, we found we became a full-service partner for our clients because we weren’t reporting on a problem that they read about every day. We were also bringing in, “This is what you can do in order to manage the problem you can’t solve, but you can certainly mitigate.”
Doug, for you, how did you get down this cyber road?
I’m retired military. This is the way that we practice law in the military. It occurred to me that you do a lot of work and sessions with new businesses, ventures and opportunities. One of the maxims, if you’re going to start a new business, is what’s my differentiation? What’s my value proposition? There’s a phrase called having an unfair advantage, which is a good thing if you’re opening up a new business. I looked at that and felt that the best cyber firm was a cyber law firm. The reason for that is there are certain advantages. First of all, lawyers have to do what’s in the best interest of their clients. We’re ethically bound to do that.
We’re not hawking a service or a product or looking at our line card for our partners to fit that into a particular opportunity. We’re assessing and solving the client’s problems so that’s one feature. The other feature is that especially in cybersecurity, businesses are trying to figure out where to start, what’s enough to spend and what’s enough security? Those are delicate conversations. Being able to have that conversation and provide expert advice in a confidential setting is something that other cyber vendors can’t do. We bring all that and we do it from prevention all the way through an incident response. That’s why I got into this space.
What Hilary was talking about is this tool we developed, which is CyberGaps. Ed mentioned it as well. It’s an assessment methodology that is quantitative. In other words, we’ve been talking a lot about risk. How do you measure risk? How do you know when something is enough? We identify the gaps. We score them. The score is based upon something like efficacy data. It’s based upon a data that’s out there in the marketplace. It shows what’s effective. We scored controls so that when we go into a company and we do an assessment, we can tell them exactly what they need to do to get to a targeted score based upon math. That’s defensible. Their decisions on what they’re going to do and whether enough is enough, they can back that up based upon data.
Cybersecurity: There’s personally identifiable information or other sensitive information on devices all over the place.
I’m the business owner and I go, “Not only do I have a gap, but I’m also clueless.” I know I need to do something to the issue’s resolution and you guys come in. What should I expect when you walk through the door? How long are you typically in my company? Walk me through that so I would know what to expect.
I’ll start by the end. We want at the end of the assessment to give you assurance and defensibility that your roadmap going forward is logical and defensible. How do we get there? We start out by looking at the organizational profile. In other words, there’s an inherent risk based upon the business you’re in, certain of your practices and we would develop an inherent risk score. That provides us their target. It’s high, medium, low. What risk are they in?
What would be a high industry? What would be a low industry?
It’s a factor space. For intellectual property, do you have a lot of intellectual property? Are you engaged in a lot of financial transactions? These are all the elements that create risk. There are certain sectors that they have a high propensity for being attacked. As the saying goes, the 1920s, 1930s, “Why do you rob banks? Because that’s where the money is.” Those factors, are you a target for those reasons? Once we profile the organization, we do a full assessment. It’s holistic. People call it 360 or holistic. It doesn’t look exclusively at the network. It looks at their sales practices, their HR practices. Do they have committees that oversee or not? Once we’re done, we give the report that spells out, “Here’s your current score. We’re going to put you on a maturity model,” meaning here’s your roadmap floor. Let’s say the results of the assessment and the scoring is based upon a 1.0 index. Let’s say your 0.65 and need to get to 0.7. Two-Factor authentication is worth 0.06. Do the math. You just hit your 0.7. Your decisions are defensible. You’ve engaged in a logical assessment to arrive at this road map.
For the business, looking at it, we have to do cyber insurance one way or another. They come through and use your Gap tool. Do the insurance companies recognize the ranking for cost reduction or whatever?
The insurance companies, when they are doing what’s called the underwriting of the policy, they’re asking a lot of questions around what are your networks, what are your practices, what are your procedures? How many records do you have? We find that sometimes we’re asked to get involved because of an insurance application. The smaller mid-sized business owner doesn’t know the answers to these questions. They may be Cloud-based. They may be using other services. What they’re finding is their insurance brokers are coming to them and saying, “This is a risk you have that is probably not covered under your regular liability insurance. You need a different policy.” When they’re going through the process of trying to get that policy, they are learning, “We don’t know very much or maybe as much as we would like to know about our system.”
The type of assessment that Doug is talking about drills into what is out there, how